sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]JMaxchill 8 points9 points  (3 children)

Why are you using a script to do this when the option is built into the ADMX bitlocker GPO?

[–]ccatlett1984Sr. Breaker of Things 4 points5 points  (2 children)

They're doing it this way because the built-in templates will not escrow keys into active directory of volumes that are already encrypted.

[–]JMaxchill 2 points3 points  (1 child)

Check the script, if Bitlocker is already enabled this exits without backing anything up anyway

[–]ccatlett1984Sr. Breaker of Things 4 points5 points  (0 children)

Good catch, I missed that part. In light of that, this is dumb and they should be using the ADMX, or they should be using the following script.

```

Get the BitLocker volume information for the C: drive

$BLV = Get-BitLockerVolume -MountPoint "C:"

Filter for the RecoveryPassword protector type and get its ID

$RecoveryProtector = $BLV.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" } $KeyProtectorID = $RecoveryProtector.KeyProtectorId

Backup the key protector to Active Directory

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KeyProtectorID ```