Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland
+48 502 469 760
contact@evotec.pl

Backing up Bitlocker Keys and LAPS passwords from Active Directory

Backing up Bitlocker Keys and LAPS passwords from Active Directory
LAPS and Bitlocker
By Przemyslaw Klys Active Directory PowerShell March 31, 2019

Having a modern, secure infrastructure in 2019 is a requirement. You should implement BitLocker to make sure that in the event of stolen laptop data is not readily extractable and implementing LAPS is a must in a fast changing IT world. But I'm not here to convince you to those two security features. I'm here to show you an easy way to backup LAPS and BitLocker. While having everything stored in Active Directory is excellent, things can get complicated when you don't have access to your Active Directory, or you restore an older version of it. You see, LAPS, for example, keeps only last Administrator password. This is great and all but what happens if you restore the machine from backup from 6 months back? Your password has already changed multiple times. During our testing of DR scenarios, we wanted to access the computer via their local Administrator credentials and we just couldn't because that password was already gone.

Extracting Bitlocker and LAPS passwords is very risky
Please be aware that exporting Bitlocker and LAPS is considered a risk if you mishandle the data. You shouldn't extract that data unless you have a valid reason and you store that data safely somewhere in a safe place. Saving it on your file share isn't the best idea!
Extracting Bitlocker from Active Directory

Below code should allow you to extract all BitLocker Keys available in Active Directory for all computers. Keep in mind it will get it all. Not only the latest one.

function Get-WinADDomainBitlocker {
    param(
        [string] $Domain = $Env:USERDNSDOMAIN,
        [Array] $Computers
    )
    $Properties = @(
        'Name',
        'OperatingSystem',
        'DistinguishedName'
    )
    #[DateTime] $CurrentDate = Get-Date

    if ($null -eq $Computers) {
        $Computers = Get-ADComputer -Filter * -Properties $Properties -Server $Domain
    }
    foreach ($Computer in $Computers) {
        $Bitlockers = Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties 'WhenCreated', 'msFVE-RecoveryPassword' #|  Sort-Object whenCreated -Descending #| Select-Object whenCreated, msFVE-RecoveryPassword
        
        foreach ($Bitlocker in $Bitlockers) {
            [PSCustomObject] @{
                'Name'                        = $Computer.Name
                'Operating System'            = $Computer.'OperatingSystem'
                'Bitlocker Recovery Password' = $Bitlocker.'msFVE-RecoveryPassword'
                'Bitlocker When'              = $Bitlocker.WhenCreated
                'DistinguishedName'           = $Computer.'DistinguishedName'
            }
        }
    }
}

Usage is quite simple

$MyBitlocker = Get-WinADDomainBitlocker
$MyBitlocker | Format-Table -AutoSize


# Exporting to  Excel 
# Install-Module PSWriteExcel # is required
ConvertTo-Excel -FilePath 'C:\myFile.xlsx' -DataTable $MyBitlocker -AutoFilter -AutoFit -ExcelWorkSheetName 'Bitlocker Keys'
Extracting LAPS from Active Directory

Below code is able to deliver extracted LAPS passwords for each, and every computer in Active Directory. It also shows Expiration Time and Days to Expire.

function Get-WinADDomainLAPS {
    [CmdletBinding()]
    param(
        [string] $Domain = $Env:USERDNSDOMAIN,
        [Array] $Computers
    )
    $Properties = @(
        'Name',
        'OperatingSystem',
        'DistinguishedName',
        'ms-Mcs-AdmPwd',
        'ms-Mcs-AdmPwdExpirationTime'
    )
    [DateTime] $CurrentDate = Get-Date

    if ($null -eq $Computers -or $Computers.Count -eq 0) {
        $Computers = Get-ADComputer -Filter * -Properties $Properties
    }
    foreach ($Computer in $Computers) {
        [PSCustomObject] @{
            'Name'                 = $Computer.Name
            'Operating System'     = $Computer.'OperatingSystem'
            'Laps Password'        = $Computer.'ms-Mcs-AdmPwd'
            'Laps Expire (days)'   = Convert-TimeToDays -StartTime ($CurrentDate) -EndTime (Convert-ToDateTime -Timestring ($Computer.'ms-Mcs-AdmPwdExpirationTime'))
            'Laps Expiration Time' = Convert-ToDateTime -Timestring ($Computer.'ms-Mcs-AdmPwdExpirationTime')
            'DistinguishedName'    = $Computer.'DistinguishedName'
        }
    }
}

Again, usage is very similar to what you get in Bitlocker above

$Laps = Get-WinADDomainLAPS
$Laps | Format-Table -AutoSize

# Again using this required PSWriteExcel
ConvertTo-Excel -FilePath 'C:\myFile.xlsx' -DataTable $Laps -AutoFilter -AutoFit -ExcelWorkSheetName 'LAPS'
Required modules

There are two PowerShell modules I'm using that I've created and are utilized above. One is PSSharedGoods, and one is PSWriteExcel. PSSharedGoods is required for two functions Convert-TimeToDays and Convert-ToDateTime. If you don't feel like installing those feel free to use the code below. It's not strongly optimized, but it works. PSWriteExcel is responsible for creating an Excel file if you prefer to export using other, more common modules you don't need that.

function Convert-TimeToDays {
    [CmdletBinding()]
    param (
        $StartTime,
        $EndTime,
        #[nullable[DateTime]] $StartTime,
        #[nullable[DateTime]] $EndTime,
        [string] $Ignore = '*1601*'
    )
    if ($StartTime -and $EndTime) {
        try {
            if ($StartTime -notlike $Ignore -and $EndTime -notlike $Ignore) {
                $Days = (NEW-TIMESPAN -Start (GET-DATE) -End ($EndTime)).Days
            } else {
                $Days = $null
            }
        } catch {
            $Days = $null
        }
    }
    return $Days
}

function Convert-ToDateTime {
    [CmdletBinding()]
    param (
        [string] $Timestring,
        [string] $Ignore = '*1601*'
    )
    Try {
        $DateTime = ([datetime]::FromFileTime($Timestring))
    } catch {
        $DateTime = $null
    }
    if ($null -eq $DateTime -or $DateTime -like $Ignore) {
        return $null
    } else {
        return $DateTime
    }
}
Przemyslaw Klys / About Author
System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.
More posts by Przemyslaw Klys

Related Posts

Strengthening Password Security in Active Directory: A PowerShell-Powered Approach
PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.
28 May 2023
Event Monitoring v0.6
Get-EventsLibrary.ps1 – Monitoring Events PowerShell
19 Apr 2018
PSBlackListChecker
PSBlackListChecker – Notifications to Microsoft Teams, Slack of Blacklisted IPs
02 Nov 2018
PSWinReporting – Forwarders, Microsoft Teams, Slack, Microsoft SQL and more
16 Sep 2018
PowerShell Automating Administration
Powershell – Change DNS IP Addresses remotely
0
09 Feb 2016
Tricks I wish I knew
PowerShell – Few tricks about HashTables and Arrays I wish I knew when I started
I’ve been working with PowerShell for a while now and like with most things I do I’ve learned it by doing and not by reading. I had a job to do, and since I don’t like doing things over and over, I thought it’s time to learn and do it in PowerShell. Problem with that approach is that you take bits and pieces from PowerShell scripts online that sometimes do the job but not necessarily pay attention to details. And it’s fine. I’ve learned a lot from reading someone else’s work, and I learn something new every day. Hopefully, it will be useful to you to some extent.
18 Feb 2019
Pester V5
Converting Pester V4 to Pester V5 basics
Now that Pester V5 is out, I decided that I need to make sure that my Pester tests for all my modules keep on running correctly. Some substantial changes in Pester add new features, changing some things, but that also means all the tests that you have defined most likely will need a small push to get it up and running again on Pester V5. Starting this blog post, I wanted to mention that I am by no means an expert on Pester, but I do use it for some time now for most of my projects.  I am using basic functionality, but even that basic functionality stops working once you upgrade from PesterV4 to PesterV5, so I thought I would save you some time and give you a small overview of how you can quickly fix it. It works for me, but you may have to find your way to fix things.
28 May 2020
Using Win32_UserAccount WMI filter in PowerShell/Group Policies and what to avoid
Some months ago, I created PowerShell Script to create local administrative users on workstations – Create a local user or administrator account in Windows using PowerShell. It’s a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I’ve been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it’s not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it’s been a good friend of mine.
02 Jun 2020
Missing Permissions Authenticated Users
Finding GPOs missing permissions that may prevent GPOs from working correctly
I’ve been in IT for a longer time now. I’ve made my fair share of mistakes and misconfigurations. One of those misconfigurations was removing Authenticated Users from Security filtering in Group Policy Objects. While it worked fine at some point Microsoft rolled out a Hotfix MS16-07 on June 14th 2016.
19 Feb 2020
Upload and Download files from Azure Blob Storage using Connection String
They say there is a first time for everything. For me, it’s how to download and upload files to Azure Blog Storage using Connection String. Recently I was given Connection String, Container name and had to download some files from Azur Blog Storage. After some research and trying Connect-AzAccount, I found that the proper way to go is thru New-AzStorageContext.
18 Jan 2023
PGP Decrypt
Encrypting and decrypting PGP using PowerShell
Some time ago, I decided that having an easy-to-use PGP PowerShell module is a way to kill my boredom. Four months have passed, and I decided to share it with the world, as it may be helpful to some of you.  Today I would like to introduce you to PSPGP – PowerShell module that provides PGP functionality in PowerShell.
12 Sep 2021
The only command you will ever need to understand and fix your Group Policies (GPO)
The only command you will ever need to understand and fix your Group Policies (GPO)
I’ve been working on cleaning up Group Policies for a couple of months. While it may seem trivial, things get complicated when you’re tasked with managing 5000 GPOs created over 15 years by multiple teams without any best practices in mind. While working on GPOZaurr (my new PowerShell module), I’ve noticed that the more code I wrote to manage those GPOs, the more I knew passing this knowledge to admins who will be executing this on a weekly/monthly basis is going to be a challenge. That’s why I’ve decided to follow a similar approach as my other Active Directory testing module called Testimo. I’ve created a single command that analyses Group Policies using different methods and shows views from different angles to deliver the full picture. On top of that, it provides a solution (or it tries to) so that it’s fairly easy to fix – as long as you agree with what it proposes.
24 Jan 2021
Dashimo (PSWriteHTML) – Charting, Icons and few other changes
A few months ago when I first released Dashimo, I’ve promised that Charts will come. Unfortunately, time passed by, and there were no Charts in sight. It’s not that I didn’t want to deliver, I just wasn’t sure on the way I want to allow charts building. Today after playing with the idea for a while I’ve decided to release essential support for diagrams, with a couple of other fixes. Some of that stuff is already there for longer while I just never announced it. There are probably a lot of other hidden gems you may find if you explore PSWriteHTML or Dashimo.
17 Jun 2019
Dashimo
Meet Dashimo – PowerShell Generated Dashboard
Today I wanted to introduce a little product that I’ve created in the last few weeks called Dashimo. It doesn’t cover everything I wanted from it (feature wise), but it already can be used in production. Therefore, I thought it would be a good idea to get some feedback on whether I should spend some more time on it or throw it in the dumpster. Dashimo joins it’s older brother Statusimo of PowerShell modules allowing an easy way to build HTML output. If it will feel familiar, it’s because it was inspired with Bradley Wyatt PowerShell script he did. It gave me the idea of how I would like to build something similar but in a bit different way then he did, with much more flexibility. Still, if it wasn’t for him, the idea wouldn’t be there, therefore you should send him your thanks.
01 Apr 2019
The security account manager (SAM) has determined that SID is already in use in the Forest
The security account manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the Forest you want to join. This can happen when restoring an Active Directory Domain Controller with an improper backup. Reinstall the operating system on the local AD DC to obtain a new SID.
12 Mar 2020