BitLocker Key Backup
Purpose
This solution outlines the complete process for automatically backing up BitLocker recovery keys to Active Directory or Azure Active Directory using ConnectWise RMM. It utilizes custom fields, dynamic groups, and automated tasks to ensure BitLocker recovery keys are properly backed up and their status is tracked.
Associated Content
Custom Fields
| Name | Example | Type | Level | Required | Purpose |
|---|---|---|---|---|---|
| Enable BitLocker Key Backup | Windows Workstation and Server | Dropdown | COMPANY | Yes | Select OS to enable automatic BitLocker key backup. |
| Disable BitLocker Key Backup (Site) | Flag | SITE | No | Prevents BitLocker key backup at specific sites. | |
| Disable BitLocker Key Backup (Endpoint) | Flag | ENDPOINT | No | Prevents BitLocker key backup on specific endpoints. | |
| BitLocker Key Backup Status | Text Box | ENDPOINT | Yes | Displays the result of the most recent BitLocker key backup attempt. |
Groups
| Name | Purpose |
|---|---|
| BitLocker Key Backup Enabled | Dynamic group targeting devices where BitLocker key backup is enabled. |
| BitLocker Key Backup Failed | Group of machines where BitLocker key backup failed. |
| BitLocker Key Backup Successful | Group of machines where BitLocker key backup was successful. |
| BitLocker Key Missing | Group of machines where BitLocker recovery keys were not found. |
Task
| Name | Purpose |
|---|---|
| BitLocker Recovery Key Backup | Script that backs up BitLocker recovery keys to Active Directory or Azure AD. |
Implementation
Step 1: Create the Required Custom Fields
Create all the custom fields listed above under SETTINGS → Custom Fields in CW RMM:
- Enable BitLocker Key Backup
- Disable BitLocker Key Backup (Site)
- Disable BitLocker Key Backup (Endpoint)
- BitLocker Key Backup Status
Step 2: Create the Dynamic Groups
Create the dynamic groups under ENDPOINTS → Groups:
- BitLocker Key Backup Enabled
- BitLocker Key Backup Failed
- BitLocker Key Backup Successful
- BitLocker Key Missing
Step 3: Create and Schedule the Task
- Create the BitLocker Recovery Key Backup task under
AUTOMATION → Tasksand schedule it to run daily against the BitLocker Key Backup Enabled group.
Step 4: Configure Monitoring and Alerting
Use the status groups to monitor backup success and failure rates:
- Monitor BitLocker Key Backup Failed for devices needing attention
- Monitor BitLocker Key Missing for devices without recoverable keys
- Track BitLocker Key Backup Successful for compliance reporting
FAQ
Q: What happens if a device is excluded at the site or endpoint level?
A: Devices or sites flagged for exclusion will not have their BitLocker keys backed up automatically. However, the backup task can be executed manually if needed.
Q: How often does the solution attempt to backup BitLocker keys?
A: The task is designed to run daily, but this can be adjusted based on your organizational requirements.
Q: Can I trigger the backup manually?
A: Yes, the BitLocker Recovery Key Backup task can be run on demand independent of the schedule.
Q: Where are the recovery keys backed up to?
A: The keys are backed up to either Active Directory or Azure Active Directory, depending on your environment configuration.
Q: What OSes are supported for automatic backup?
A: Supported OS selection is controlled by the Enable BitLocker Key Backup custom field (Windows Workstation, Windows Server, Both, or Disabled).
Q: How can I verify if keys were successfully backed up?
A: Check the BitLocker Key Backup Status custom field on each endpoint or monitor the BitLocker Key Backup Successful group.