Bitlocker Recovery Key script does not work in Task Sequence

Question

I am using MBAM and because of that I can't use build-in Enable Bitlocker Step. In TS, I first encrypt the drive with MBAM, and then idea is to just backup the recovery key to AD. Below script works manually but not in TS. Script exit code is also 0, but in TS it just doesn't do anything.

$volume = Get-BitLockerVolume -MountPoint "C:"
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $volume.KeyProtector[1].KeyProtectorId

• Manually, In Command Promt as admin works
• Manually, with PSExec works
• TS powershell as system doesn't do anything
• TS powershell as admin doesn't do anything

Answer 1

Can you try this instead?

$keyprotector = (((Get-BitLockerVolume -MountPoint "C:").KeyProtector) | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $keyprotector

Also, where is the step that you're running this? Near the end of the TS?
If you run the TS Debugger, after you've run your Script to Enable Bitlocker, and it adds the protectors, can you pause the TS, launch the Command Prompt, confirm the Protector is there, then launch PowerShell and test your script.

When I tested your script, it didn't work for me, since [1] was the TPM keyprotector and not the Recovery Password.

Answer 2

Thanks for the input, I tested your script but still the same problem. First, from Invoke-PS1 script I see this, but it is probably okay, because after 30 seconds, it does succeed, right?

But then, your script errors like that (but the step does complete with exit 0). Unfortunatelly, before this testing, I didn't read the smsts.log, only status message view with didn't reveal any errors.

Answer 3

I just want to confirm, that using Enable Bitlocker built-in step in my enviroment does take the key to AD, so my enviroment is okay for that :)