Change BitLocker Recovery Password with PowerShell

When BitLocker detects certain changes to the computer it’ll trigger Recovery Mode, and prompt for the Recovery Password. Likewise, you also need the recovery password if you need to access the encrypted disk from another machine or via Windows Recovery Environment (Windows RE).

If you need to provide your users with their BitLocker recovery password, you might want to change it afterwards. It allows them to get into the disk via alternative methods and thus bypass NTFS security. This is a bad thing.

If you have BitLocker set up right, it’ll write any new recovery passwords that it generates to Active Directory. Therefore the script (which you might want to run as a scheduled task, even if only on demand) does not display the new recovery password to screen. You can easily modify it to show the password by removing “-WarningAction SilentlyContinue”.

$MountPoint = "C:"
# Register the event log source
$LogSource = "RCMTech"
New-EventLog -LogName Application -Source $LogSource -ErrorAction SilentlyContinue
# Get the key protectors
$KeyProtectors = (Get-BitLockerVolume -MountPoint $MountPoint).KeyProtector
foreach($KeyProtector in $KeyProtectors){
    if($KeyProtector.KeyProtectorType -eq "RecoveryPassword"){
        try{
            # Remove then re-add the RecoveryPassword protector
            Remove-BitLockerKeyProtector -MountPoint $MountPoint -KeyProtectorId $KeyProtector.KeyProtectorId | Out-Null
            # Assuming BitLocker is configured properly, the recovery password will be stored in Active Directory, don't display it on screen
            Add-BitLockerKeyProtector -MountPoint $MountPoint -RecoveryPasswordProtector -WarningAction SilentlyContinue | Out-Null
            # If we get this far, eveything has worked, write a success to the event log
            Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId 1000 -Message "BitLocker Recovery Password for $MountPoint has been changed"
            Write-Host "Successfully changed BitLocker Recover Password" -ForegroundColor Green
        }
        catch{
            # Something went wrong, display the error details and write an error to the event log
            $Error[0]
            Write-EventLog -LogName Application -Source $LogSource -EntryType Warning -EventId 1001 -Message "Failed to change Bitlocker Recovery Password for $MountPoint"
        }
    }
}
Advertisements
This entry was posted in PowerShell, Security, Windows and tagged , , , , , , , , , . Bookmark the permalink.

One Response to Change BitLocker Recovery Password with PowerShell

  1. billerdude says:

    Great script! The VB script MS provides is great, but I was looking for something using PowerShell as I’m not as versed in VB. Figured I’d google it to see if anyone else had done this before I started putting it together. Only change I made was to replaced the static mount point drive letter with the $env:SystemDrive, in case the OS isn’t installed on C: for whatever reason. Really a minor change though, otherwise Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s