I have a customer who wants to access the bitlocker key using only a script, no portal.
Based on 'Get bitlockerRecoveryKey', this has gotten him part of the way, but wondering if anyone has written an example script or could guide us further?
Get bitlockerRecoveryKey - https://docs.microsoft.com/en-us/graph/api/bitlockerrecoverykey-get?view=graph-rest-1.0&tabs=powershell
Kindest Regards,
Steve
There you go:
do {
$computers = get-adobject -Filter * | Where-Object {$_.ObjectClass -eq "msFVE-RecoveryInformation"}
$key = (read-host -Prompt "Enter starting portion of recovery key ID").ToUpper()
$records = $computers | where {$_.DistinguishedName -like "*{$key*"}
foreach ($rec in $records) {
$computer = get-adcomputer -identity ($records.DistinguishedName.Split(",")[1]).split("=")[1]
$recoveryPass = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword' | where {$_.DistinguishedName -like "*$key*"}
[pscustomobject][ordered]@{
Computer = $computer
'Recovery Key ID' = $rec.Name.Split("{")[1].split("}")[0]
'Recovery Password' = $recoveryPass.'msFVE-RecoveryPassword'
} | Format-List
}
$response = read-host "Repeat (y)?"
}
while ($response -eq "y")
You need to provide only the first 4 characters of the ID to this script.
Thank you very much for this. I will see if this will work for them.
Hello another question regarding this script, if I may:
Cx is migrating all the keys from on prem MBAM / AD to Azure AD. Will this script work for query to AAD?
Isn't the get-adobject a cmdlet only for on prem ad object device management, and not for Azure AD management?
In essence what we need is essentially the same thing, but instead of looking at on prem AD, the script needs to look at Azure AD to pull the recovery key
Sorry Steve, I had not looked at the tags you selected, else I would have known that you need something for azure AD.
We use that script on premises and no, it won't work on azure. No azure experience here, sorry.
How about simply using the bde commands?
manage-bde -protectors C: -get
Hello, not sure. Will it work to get the key that is escrowed in Azure? This is an Intune policy managed environment that wants to manage key recovery to a select few, but also to create an automated way to retrieve it.
thanks again.
Hi TKujala, did you have a link to what you were talking about? This one is dead.
Thanks again.
Hello SteveWakefield
Yes, you can use the next script to retrieve the recovery key programatedly:
$BitlockerVolumers = Get-BitLockerVolume
$BitlockerVolumers |
ForEach-Object {
$MountPoint = $.MountPoint
$RecoveryKey = [string]($.KeyProtector).RecoveryPassword
if ($RecoveryKey.Length -gt 5) {
Write-Output ("The drive $MountPoint has a recovery key $RecoveryKey.")
}
}
Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--
These were the errors we got when we ran this:
$.MountPoint : The term '$.MountPoint' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:4 char:15
+ $MountPoint = $.MountPoint
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.MountPoint:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
$.KeyProtector : The term '$.KeyProtector' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:5 char:25
+ $RecoveryKey = [string]($.KeyProtector).RecoveryPassword
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($.KeyProtector:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
31 people are following this question.
