02 September 2015

Home » » Using PowerShell to retrieve the Bitlocker Recovery Key from Active Directory

Using PowerShell to retrieve the Bitlocker Recovery Key from Active Directory

  Wednesday, September 02, 2015    4 comments
I wanted an easy way to find the bitlocker recovery key in the even MBAM was down and as a backup. We use MBAM, but also use Active Directory as a backup for the keys. This script makes it easy to find the key without having to go into AD. I tested this script on user profiles both with and without permissions to the bitlocker recovery keys. If a user does not have permissions to view the key, then the script returns the message no key exists.

This script will prompt for the computer name. It will then display the bitlocker recovery key stored in Active Directory. In order for this to work correctly, you will need to install Remote Server Administration Tools and active the following feature: Remote Server Administration Tools-->
Role Administration Tools-->AD DS and AD LDS Tools-->Active Directory Module for Windows PowerShell.

You can download the script from here.


 <#       
      .NOTES  
      ===========================================================================  
       Created with:      SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.92  
       Created on:       8/25/2015 1:25 PM  
       Created by:       Mick Pletcher  
       Organization:        
       Filename:        BitlockerRecoveryKey.ps1  
      ===========================================================================  
      .DESCRIPTION  
           This script will prompt for the computer name. It will then display the  
     bitlocker recovery key. In order for this to work correctly, you will   
     need to install Remote Server Administration Tools and active the  
     following feature: Remote Server Administration Tools-->  
     Role Administration Tools-->AD DS and AD LDS Tools-->  
     Active Directory Module for Windows PowerShell.   
 #>  
   
 Function Get-ComputerName {  
   #Declare Local Variables  
   Set-Variable -Name ComputerName -Scope Local -Force  
   
   $ComputerName = Read-Host "Enter the computer name"  
   Return $ComputerName  
   
   #Cleanup Local Variables  
   Remove-Variable -Name ComputerName -Scope Local -Force  
 }  
   
 Function Get-BitlockeredRecoveryKey {  
   param ([String]$ComputerName)  
   
   #Declare Local Variables  
   Set-Variable -Name BitLockerObjects -Scope Local -Force  
   Set-Variable -Name BitLockerRecoveryKey -Scope Local -Force  
   Set-Variable -Name Computer -Scope Local -Value $null -Force  
   Set-Variable -Name System -Scope Local -Force  
   
   $BitLockerObjects = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' }  
   foreach ($System in $BitLockerObjects) {  
     $System = $System.DistinguishedName  
     $System = $System.Split(',')  
     $System = $System[1]  
     $System = $System.Split('=')  
     $System = $System[1]  
     If ($System -eq $ComputerName) {  
       $Computer = Get-ADComputer -Filter {Name -eq $System}  
       $BitLockerRecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $Computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'  
       Write-Host "Computer Name:"$System  
       Write-Host "Bitlocker Recovery Key:"$BitLockerRecoveryKey.'msFVE-RecoveryPassword'  
     }  
   }  
   If ($Computer -eq $null) {  
     Write-Host "No recovery key exists" -ForegroundColor Red  
   }  
   
   #Cleanup Local Variables  
   Remove-Variable -Name BitLockerObjects -Scope Local -Force  
   Remove-Variable -Name BitLockerRecoveryKey -Scope Local -Force  
   Remove-Variable -Name Computer -Scope Local -Force  
   Remove-Variable -Name System -Scope Local -Force  
 }  
   
 #Declare Local Variables  
 Set-Variable -Name SystemName -Scope Local -Force  
   
 cls  
 Import-Module ActiveDirectory -Scope Global -Force  
 $SystemName = Get-ComputerName  
 Get-BitlockeredRecoveryKey -ComputerName $SystemName  
   
 #Cleanup Local Variables  
 Remove-Variable -Name SystemName -Scope Local -Force

Related Posts:

  • Enable or Disable Internet Explorer Active X Components This script will enable or disable Internet Explorer Active X components. All you have to do is pass the user friendly name of the component, component's GUID, and the flag. The app will verify if the change actually takes … Read More
  • Enable Wake-On-LAN NOTE: This is an old script. I have a newer and more efficient one located here. This script will enable WOL and test to make sure it has been set. It will return whether it was a success or failure both to a log file and … Read More
  • Get list of installed printers This function will get the list of printers installed for a user. It will also get the Default Printer. It outputs the list to Printers.txt, located at the location where the script is executed. You can download the script… Read More
  • Installing Dell CCTK and Configuring BIOS Settings This script will install the Dell CCTK and set specified BIOS settings. Unlike the CCTK that allows you to create a multiplatform file to run against any Dell model machine, this script takes a different approach so that t… Read More
  • Pinning Shortcuts to the Taskbar and Start Menu There are already scripts out there that will do this, but I have taken it a little further. I have added checking to make sure the application is installed first so that the script does not error out. I have also added on-… Read More

4 comments:

  1. AnonymousSeptember 21, 2015 at 3:40 PM

    Won't work for me. Seems like there is no attribute on the computer accounts named msFVE-RecoveryInformation or msFVE-RecoveryPassword.

    ReplyDelete
    Replies
    1. Mick PletcherSeptember 21, 2015 at 4:05 PM

      Does the account you are running the script from have access to the bitlocker recovery key in AD?

      Delete
    2. AnonymousSeptember 22, 2015 at 2:02 AM

      I'm not entirely sure but I thought so. How do I check it? The account is at least admin on MBAM server and have access to keys through MBAM.

      Delete
    3. Mick PletcherSeptember 22, 2015 at 9:44 AM

      Go to your Network Admins and have them check the permissioning to see the recovery keys. When I wrote this script, I saw the results fine, but when the help desk ran it, they saw nothing. The networking team then created a security group in AD and granted permission to see the recovery keys.

      Delete