Share via

Reshuffle bitlocker recovery keys

Eliesa Rigamoto 0 Reputation points
2025-03-07T02:37:55.69+00:00

Hi

How do i reshuffle recovery keys every certain number of days to ensure that the keys are periodically changed and updated for security purposes.

Service Manager
Service Manager
A family of System Center products for managing incidents and problems.
259 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. XinGuo-MSFT 21,671 Reputation points
    2025-03-07T06:41:52.6566667+00:00

    Hi,

    To reshuffle BitLocker recovery keys periodically, you can use a combination of PowerShell scripts and Task Scheduler in Windows.

    Here’s a step-by-step guide to achieve this:

    Step 1: Create a PowerShell Script to Rotate BitLocker Recovery Keys

    1. Open a text editor and create a new PowerShell script file (e.g., RotateBitLockerKeys.ps1).
    2. Add the following script to the file:
    # Get all BitLocker-enabled drives
$bitlockerVolumes = Get-BitLockerVolume

foreach ($volume in $bitlockerVolumes) {
    # Backup the current recovery key to Active Directory (if applicable)
    Backup-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $volume.KeyProtector[0].KeyProtectorId

    # Add a new recovery key protector
    $newRecoveryKey = Add-BitLockerKeyProtector -MountPoint $volume.MountPoint -RecoveryPasswordProtector

    # Remove the old recovery key protector
    Remove-BitLockerKeyProtector -MountPoint $volume.MountPoint -KeyProtectorId $volume.KeyProtector[0].KeyProtectorId

    # Output the new recovery key
    Write-Output "New recovery key for $($volume.MountPoint): $($newRecoveryKey.RecoveryPassword)"
}

    Step 2: Save the Script

    Save the script with the name RotateBitLockerKeys.ps1.

    Step 3: Create a Scheduled Task to Run the Script Periodically

    1. Open Task Scheduler.
    2. Click on Create Task in the right-hand pane.
    3. In the General tab, provide a name for the task (e.g., "Rotate BitLocker Recovery Keys").
    4. In the Triggers tab, click New to create a new trigger. Set the trigger to run at your desired interval (e.g., daily, weekly).
    5. In the Actions tab, click New to create a new action. Set the action to start a program and enter the following in the Program/script field:
       powershell.exe

    In the Add arguments (optional) field, enter the path to your script:

       -File "C:\Path\To\RotateBitLockerKeys.ps1"
    1. In the Conditions and Settings tabs, configure any additional options as needed.
    2. Click OK to create the task.

    Step 4: Test the Script

    Run the script manually to ensure it works correctly before relying on the scheduled task.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.