This tip demonstrates how to use VB.NET to programmatically extract BitLocker Recovery Keys from Active Directory.
- Article Purpose
- What is BitLocker?
- The Code
I have written this tip in an attempt to help stem the tide of forum threads regarding the extraction of BitLocker Recovery Keys from Active Directory.
What is BitLocker?
BitLocker Drive Encryption is a disk encryption feature available in higher-end versions of Microsoft’s Windows operating system. Used by corporations around the world, BitLocker Drive Encryption allows the user to encrypt data and prevent unauthorised changes being made to a system.
A BitLocker Recovery Key is a string of integers that you can generate when you turn on BitLocker Drive Encryption for the first time. You can use this recovery key to gain access to your computer if the operating system drive is encrypted and BitLocker detects a condition that prevents it from unlocking the drive on start up.
In most organisations that use BitLocker Drive Encryption, a savvy network administrator will create a domain policy that backs-up and stores each computer’s BitLocker Recovery Key within Active Directory. A full article on how to create such a policy can be found here.
When attempting to view and extract BitLocker Recovery Key information from Active Directory, you will need to ensure that you have installed the Remote Server Administration Tools (RSAT) package and enabled the BitLocker Password Recovery Viewer feature. You can read more about this feature here.
A link to download RSAT for Windows 7 can be found here.
The following code will allow you to programmatically extract the BitLocker Recovery Key for a single computer on your domain. I have added comments to the code to better explain each step of the extraction process.
Public Class frmMain
Private Sub btnSearch_Click(sender As Object, e As EventArgs) Handles btnSearch.Click
Dim strLDAP As String = "LDAP://DC=tower,DC=lan"
Dim strComputer As New DirectoryEntry(strLDAP)
Dim objSearch1 As New DirectorySearcher(strComputer)
objSearch1.Filter = ("(&(objectClass=computer)(name=" & txtComputer.Text & "))")
Dim objResult1 As SearchResult = objSearch1.FindOne
Dim strFullPath As String = objResult1.Path
Dim objSearch2 As New DirectorySearcher()
objSearch2.SearchRoot = New DirectoryEntry(strFullPath)
objSearch2.Filter = "(&(objectClass=msFVE-RecoveryInformation))"
Dim colQueryResults As SearchResultCollection
colQueryResults = objSearch2.FindAll()
Dim objResult2 As SearchResult
For Each objResult2 In colQueryResults
If objResult2.Properties.Contains("msFVE-RecoveryPassword") Then
txtKey.Text = (objResult2.Properties("msFVE-RecoveryPassword")(0))