Retrieve BitLocker keys shortcuts

1 minute read


Some time ago I’ve posted how to set AD environment for BitLocker and retrieve keys from AD. I’ve missed one spot though. For that to work you had to be:

  1. AD User
  2. Member of local adminstrators on your machine.

I’ve updated that post with proper information how to fix that - delegate proper permission to SELF object.

Some Goodies

Today I’d like to share some quick-dirty scripts to automate even more:

Backup ALL

If you’d like to backup BitLocker key to both AD and AzureAD at the same time, here’s a sample script. Just select only machines you need in the Out-GridView

Remember to Invoke (and retrieve BitLocker) to remote machine you require administrative permissions (or JEA with proper configuration)!

$ComputerName =  Get-ADComputer -filter {OperatingSystem -like '*Windows*'} | Out-GridView -PassThru
Invoke-command -ComputerName $ComputerName -ScriptBlock {
  $bitLockerVolume = Get-BitlockerVolume
  foreach ($Blv in $bitLockerVolume) {
    $keyProtectors = $blv.KeyProtector | Where-Object {$PSItem.KeyProtectorType -eq 'RecoveryPassword'}
    if ($KeyProtectors) {
      Write-Host "MountPoint {'$($blv.MountPoint)'} - KeyProtector {'$($keyProtectors.KeyProtectorID)'}"
      Write-Host "    Backing up to AD"
      Backup-BitLockerKeyProtector -MountPoint $blv.MountPoint -KeyProtectorId $keyProtectors.KeyProtectorID
      Write-Host "    Backing up to Azure AD"
      BackupToAAD-BitLockerKeyProtector -MountPoint $blv.MountPoint -KeyProtectorId $keyProtectors.KeyProtectorID


And if You’d like to get all computers from AD with (and without) BitLocker information here’s another one:

Remember the account you’re running HAS to have proper AD permissions!

$computers = Get-ADcomputer -filter {OperatingSystem -like '*Windows*'} -Properties OperatingSystem,LastLogon

$results = foreach ($computer in $computers) {
    $ComputerName = $computer
    $DNComputer = Get-ADComputer $computerName | Select-Object -ExpandProperty DistinguishedName
    $obj = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $DNComputer -Properties 'msFVE-RecoveryPassword' | Select-Object Name,msFVE-RecoveryPassword
    if ($obj) {
        ComputerName = $ComputerName
        RecoveryPassword = $obj.'msFVE-RecoveryPassword'
        Date = Get-Date -Date ($obj.Name ).Split('{')[0]
        KeyID = (($obj.Name ).Split('{')[1]).TrimEnd('}')
        LastLogon = [datetime]::FromFileTime($computer.LastLogon)
    else {
        ComputerName = $ComputerName
        RecoveryPassword = $null
        Date = $Null
        KeyID = $null
        LastLogon = [datetime]::FromFileTime($computer.LastLogon)

Now you can easily spot which computers are missing BitLocker keys stored in AD:

$empty = $results | where-object  {$null -eq $PSItem.RecoveryPassword }

Leave a comment