Import BitLocker recovery keys

Posted: Wednesday, December 16, 2015 3:18:56 PM(UTC)


Member Original PosterPosts: 68
We use BitLocker in our organization. While we do push the recovery keys into AD, it would be nice if LS could import these as well since we spend most of our time working in LS than we do AD. You already collect the BitLocker drive status--why not collect the recovery keys/PIN as well? Thanks!
#1Susan.A Member Administration Posts: 1,535  
posted: 12/16/2015 11:27:26 PM(UTC)
I've added recovery key retrieval through Active Directory to the wish list, but I'm not sure at this point if/when this will be implemented.
#2CVannest Member Posts: 14  
posted: 5/24/2016 8:41:01 PM(UTC)
Admin, Any update on when this may be available in Lansweeper? Was just looking in AD today for a key and wished I could have grabbed it through Lansweeper. Came to the forum, low and behold someone's already asked for it!

#3Susan.A Member Administration Posts: 1,535  
posted: 6/7/2016 8:46:24 PM(UTC)
We don't have an estimated release date for this feature unfortunately. Given the limited number of requests for this, this feature will likely have lower priority to be honest.
#4pfenner09 Member Posts: 1  
posted: 10/4/2016 4:52:18 PM(UTC)
Just curious,jprateragg said that Lansweeper already collects the BitLocker drive status. Where can I find this? I would also be interested in having Lansweeper collect recovery keys/PIN as well. It seems like Windows is really pushing for BitLocker. Thanks in advance!
#5ToHell Member Posts: 1  
posted: 8/3/2017 2:58:05 PM(UTC)
(a couple of years later) I want this too!

And in answer to pfenner09's question:
I guess this "BitLocker drive status" is what you see under Config->Windows->Encryptable volumes, which show "Protection status" On or Off.
#6jprateragg Member Original PosterPosts: 68  
posted: 8/3/2017 3:30:43 PM(UTC)
Now that two people want this feature, can you implement it? :P
#7SouthySuper Member Posts: 41  
posted: 8/7/2017 7:24:51 PM(UTC)
I think this would need to be delegated just like you did when you did the bitlocker AD integration.

That attribute is protected however and that is why it is not viewable in the attributes. You would have to modify the schema to make it viewable and then lansweeper would have have to look for the MSFVE attribute.
SouthySuper attached the following image(s):
#8cscherrey Member Posts: 16  
posted: 2/8/2018 9:10:48 PM(UTC)
Plus 1 for Lansweeper grabbing the bitlocker drive ID and password.
#9MHScripts Member Posts: 11  
posted: 5/15/2018 2:30:49 PM(UTC)
+1, this sounds like a great feature and would love to see it implemented.
#10AZHockeyNut Member Alpha Tester Posts: 231  
posted: 5/15/2018 4:34:51 PM(UTC)
add my +1 now please
#11mshajin Member Posts: 21  
posted: 5/25/2018 10:18:44 AM(UTC)
+1 for this
#12fjca Member Posts: 78  
posted: 5/25/2018 5:51:51 PM(UTC)

This would help us a lot also, not just for having the keys, but also to audit machines that should have the keys in the AD and they are not. We are now doing a manual informal audit every 6 months or so, but that means getting the keys from one site, the list of machines from another, mix and match and excel, etc...
#13pergep Member Posts: 3  
posted: 8/15/2018 12:31:44 PM(UTC)
+1 from my side too
#14marceman Member Posts: 1  
posted: 10/26/2018 4:29:53 PM(UTC)
Looking into implementing BitLocker and this would be really helpful.
#15markharry Member Posts: 12  
posted: 10/31/2018 12:43:08 AM(UTC)
This would be a great feature to add to Lansweeper. One more vote!
#16StephanieCDA Member Posts: 15  
posted: 12/20/2018 6:58:54 PM(UTC)
+1, this would be a nice addon.
#17iyad.omry Member Posts: 3  
posted: 12/26/2018 9:56:16 AM(UTC)
Please do that I need this feature
#18Tomdm Member Posts: 6  
posted: 1/3/2019 9:11:49 AM(UTC)
i would like to have this feature too, actually i'm looking for a less advanced feature, since we had a bitlocker enabled computer where the AD attribute seems to be missing in AD, i would just like to find out which "recovery key" attributes are empty in AD and compare them to the list of Bitlocker enabled computers to see if we have more PCs with recovery key missing.
#19duplissi Member Posts: 1  
posted: 1/10/2019 11:26:56 PM(UTC)
+1 for this request. Would love to have lansweeper pull bitlocker keys.
#20cscherrey Member Posts: 16  
posted: 1/11/2019 9:05:59 PM(UTC)
I know one request was pulling from AD which you must have access to do. However, I would want lansweeper to request the bitlocker password from the PC directly. I would think using the scan credentials Lansweeper could do this.

From CommandLine: manage-bde -protectors c: -get -Type recoverypassword

From Powershell: Get-BitLockerVolume | ? {$_.KeyProtector.KeyProtectorType -eq "RecoveryPassword"} | Select-Object MountPoint,@{Label='Key';Expression={"$($_.KeyProtector.RecoveryPassword)"}}

For now, I created a job on the server to grab the keys from AD once a day using credentials that have access and write them to the Asset Custom Fields in the Lansweeper DB so that they show up for each asset. This does require that you configure the PCs to record their recovery password to AD.
#21mshajin Member Posts: 21  
posted: 2/6/2019 11:52:47 AM(UTC)
+1 for this

I have managed to work around this by creating an advanced action that executes a script to retrieve the recovery key from AD
#22Caleb Member Posts: 11  
posted: 2/11/2019 8:38:41 PM(UTC)
Originally Posted by: JacobH Go to Quoted Post
For Bitlocker - Storing Keys in AD is antiquated - it's moved to MDOP/MBAM SQL database to the best of my limited knowledge.


You can query the machines table, inner join the keys table, to get you computername and recovery key.

Where you go after that, is up to you. If you're MSSQL-minded, you know where I'm going with this...

Mainstream support for Microsoft BitLocker Administration and Monitoring (MBAM) is ending July 2019.


Supported method for storing keys is with Active Directory, either on premises or in Azure.
#23JacobH Member Posts: 165  
posted: 2/11/2019 9:05:54 PM(UTC)
Thanks Caleb! I deleted my erroneous post.

Active Discussions

Lansweeper how to add windows and office licenses manually.
by  cesar.ti   Go to last post Go to first unread
Last post: Yesterday at 7:32:10 PM(UTC)
Lansweeper User roles and permissions
by  RKCar  
Go to last post Go to first unread
Last post: Yesterday at 6:23:38 PM(UTC)
Lansweeper Deployment condition
by  RKCar   Go to last post Go to first unread
Last post: Yesterday at 4:07:30 PM(UTC)
Lansweeper HP Printer not showing correctly
by  JacobH  
Go to last post Go to first unread
Last post: Yesterday at 1:32:54 PM(UTC)
Lansweeper Moving Assets in Location not Saving
by  brodiemac   Go to last post Go to first unread
Last post: Yesterday at 12:23:04 PM(UTC)
Lansweeper Scanning includes IOS devices even though I exclude them??
by  steveb  
Go to last post Go to first unread
Last post: 8/22/2019 11:05:33 PM(UTC)
Lansweeper lsagent not scanning/sending when using relay
by  Esben.D   Go to last post Go to first unread
Last post: 8/19/2019 12:31:02 PM(UTC)
Lansweeper Check if Netbios is disabled over TCP/IP
by  TaherMD  
Go to last post Go to first unread
Last post: 8/19/2019 6:00:51 AM(UTC)