Datto RMM: Escrow Bitlocker Keys

By | October 31, 2019
0 Comment

The title says it all. Lets see how we can utilise Datto RMM Components, Jobs and PowerShell to record your Bitlocker recovery keys for each volume.

Prepare Datto RMM

In order for this to be neat, there are a couple of this we should first visit in the RMM portal.

  • Login to to Datto RMM Portal and change your security level to administrator (from the top right)
  • Highlight Setup and click on Account Settings
  • Scroll down to User Defined Fields
  • Select the UDF you want to write the recovery key too. E.g. 21
  • Click the edit icon and rename it to something recognisable. E.g BitlockerKey
  • Save this.

Add the Component

  • Click on Components>New Component
  • Category>Scripts

Once the component has been added, we will want to modify the contents of the script. Change the script type to PowerShell.

Using the script below, paste it into your text field. One thing to note is that, in this case, the UDF is hard coded to use UDF 21. This can be added as a varaible usrUDF under the component itself. You can then comment out line 16.

The Script

Below is the script I have used to obtain this. 

# Get Windows 10 Bitlocker encrypted volumes
$EncryptedVolumes=Get-BitLockerVolume | Where-Object {$_.ProtectionStatus -eq "On"} | select -ExpandProperty MountPoint

# Get recovery keys for encrypted volumes
$AllPasswords = Foreach ($Volume in $EncryptedVolumes) {
    (Get-BitLockerVolume -MountPoint $Volume).KeyProtector.RecoveryPassword | Out-String 
}

$AllKeys= $AllPasswords | Out-String
      

# Validate the UDF Variable (Labelled by user in the Job
[int]$env:usrUDF = '21'
if ([int]$env:usrUDF -and [int]$env:usrUDF -match '^\d+$') {
    
    # Validate the variable value is between 1 and 30
    if ([int]$env:usrUDF -ge 1 -and [int]$env:usrUDF -le 30) {     
            New-ItemProperty -Path "HKLM:\SOFTWARE\CentraStage" -Name Custom$env:usrUDF -Value $AllKeys -Force | Out-Null
            write-host "Value written to User-defined Field $env:usrUDF`."
        } 
    else {
        write-host "User-defined Field value must be an integer between 1 and 30."
    }
} else {
    write-host "User-defined field value invalid or not specified - not writing results to a User-defined field."
}

Download the script here:

https://raw.githubusercontent.com/decturau/PowerShell/master/Windows/DattoRMM_Bitlocker_UDF.ps1

Once the component has been created, you can simply run this as a quick job on any Windows 10 device. If bitlocker is enabled, you will watch the recovery key(s) populate for that devices volumes.

Go One Step Further

Why not go one step further and utilise a component which is built in to RMM, create a UDF called BitlockerEnabled and audit the devices for their status.

  • Follow the steps above to create a user defined field
  • Go to the ComStore and add the Bitlocker Audit component (must be security level: administrator to see the ComStore
  • Run as a quickjob and specify your UDF in the variable. E.g. 20

Finished View

Below is the final view. I have shown three images.

  1. Bitlocker enabled one, but not all, volumes
  2. Bitlocker protecting all volumes (2 Keys here)
  3. Bitlocker protecting no volumes

Related Posts