02 September 2015

Home » » Using PowerShell to retrieve the Bitlocker Recovery Key from Active Directory

Using PowerShell to retrieve the Bitlocker Recovery Key from Active Directory

  Wednesday, September 02, 2015    4 comments
I wanted an easy way to find the bitlocker recovery key in the even MBAM was down and as a backup. We use MBAM, but also use Active Directory as a backup for the keys. This script makes it easy to find the key without having to go into AD. I tested this script on user profiles both with and without permissions to the bitlocker recovery keys. If a user does not have permissions to view the key, then the script returns the message no key exists.

This script will prompt for the computer name. It will then display the bitlocker recovery key stored in Active Directory. In order for this to work correctly, you will need to install Remote Server Administration Tools and active the following feature: Remote Server Administration Tools-->
Role Administration Tools-->AD DS and AD LDS Tools-->Active Directory Module for Windows PowerShell.

You can download the script from here.


 <#       
      .NOTES  
      ===========================================================================  
       Created with:      SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.92  
       Created on:       8/25/2015 1:25 PM  
       Created by:       Mick Pletcher  
       Organization:        
       Filename:        BitlockerRecoveryKey.ps1  
      ===========================================================================  
      .DESCRIPTION  
           This script will prompt for the computer name. It will then display the  
     bitlocker recovery key. In order for this to work correctly, you will   
     need to install Remote Server Administration Tools and active the  
     following feature: Remote Server Administration Tools-->  
     Role Administration Tools-->AD DS and AD LDS Tools-->  
     Active Directory Module for Windows PowerShell.   
 #>  
   
 Function Get-ComputerName {  
   #Declare Local Variables  
   Set-Variable -Name ComputerName -Scope Local -Force  
   
   $ComputerName = Read-Host "Enter the computer name"  
   Return $ComputerName  
   
   #Cleanup Local Variables  
   Remove-Variable -Name ComputerName -Scope Local -Force  
 }  
   
 Function Get-BitlockeredRecoveryKey {  
   param ([String]$ComputerName)  
   
   #Declare Local Variables  
   Set-Variable -Name BitLockerObjects -Scope Local -Force  
   Set-Variable -Name BitLockerRecoveryKey -Scope Local -Force  
   Set-Variable -Name Computer -Scope Local -Value $null -Force  
   Set-Variable -Name System -Scope Local -Force  
   
   $BitLockerObjects = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' }  
   foreach ($System in $BitLockerObjects) {  
     $System = $System.DistinguishedName  
     $System = $System.Split(',')  
     $System = $System[1]  
     $System = $System.Split('=')  
     $System = $System[1]  
     If ($System -eq $ComputerName) {  
       $Computer = Get-ADComputer -Filter {Name -eq $System}  
       $BitLockerRecoveryKey = Get-ADObject -Filter { objectclass -eq 'msFVE-RecoveryInformation' } -SearchBase $Computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'  
       Write-Host "Computer Name:"$System  
       Write-Host "Bitlocker Recovery Key:"$BitLockerRecoveryKey.'msFVE-RecoveryPassword'  
     }  
   }  
   If ($Computer -eq $null) {  
     Write-Host "No recovery key exists" -ForegroundColor Red  
   }  
   
   #Cleanup Local Variables  
   Remove-Variable -Name BitLockerObjects -Scope Local -Force  
   Remove-Variable -Name BitLockerRecoveryKey -Scope Local -Force  
   Remove-Variable -Name Computer -Scope Local -Force  
   Remove-Variable -Name System -Scope Local -Force  
 }  
   
 #Declare Local Variables  
 Set-Variable -Name SystemName -Scope Local -Force  
   
 cls  
 Import-Module ActiveDirectory -Scope Global -Force  
 $SystemName = Get-ComputerName  
 Get-BitlockeredRecoveryKey -ComputerName $SystemName  
   
 #Cleanup Local Variables  
 Remove-Variable -Name SystemName -Scope Local -Force

Related Posts:

  • NIC Power Management Properties I wrote and published a script that enabled wake on lan two years ago. Since then, I have needed to write new scripts to modify the advanced tab of the NIC properties. I began by looking at my old script to see about adding… Read More
  • Automating Microsoft Endpoint Full System Scan upon Infection with Email Notification While helping to manage Microsoft Endpoint, a former colleague suggested that I setup Endpoint to automatically run a full system scan each time an infection is detected. I googled the blog posting on it and although it i… Read More
  • Query Event Logs to a Central Log File Recently, we have had sporadic issues with Outlook and needed to see who all was experiencing the problem. We knew it was logged in the event viewer logs. I decided to write a PowerShell script, with the help of Sapien Tech… Read More
  • Local Administrators Automated Reporting Tool Back in November 2016, I posted the blog entry on reporting local administrators on machines. That script is deployed to machines via an SCCM package that reports the local administrators back to SCCM to be able to be queri… Read More
  • NIC Advanced Properties Recently, we started having issues with our new Dell Latitude E7450 laptops. They would be put to sleep and then they could not restore the network connection once the laptop was docked again. The problem came from the Ener… Read More

4 comments:

  1. AnonymousSeptember 21, 2015 at 3:40 PM

    Won't work for me. Seems like there is no attribute on the computer accounts named msFVE-RecoveryInformation or msFVE-RecoveryPassword.

    ReplyDelete
    Replies
    1. Mick PletcherSeptember 21, 2015 at 4:05 PM

      Does the account you are running the script from have access to the bitlocker recovery key in AD?

      Delete
    2. AnonymousSeptember 22, 2015 at 2:02 AM

      I'm not entirely sure but I thought so. How do I check it? The account is at least admin on MBAM server and have access to keys through MBAM.

      Delete
    3. Mick PletcherSeptember 22, 2015 at 9:44 AM

      Go to your Network Admins and have them check the permissioning to see the recovery keys. When I wrote this script, I saw the results fine, but when the help desk ran it, they saw nothing. The networking team then created a security group in AD and granted permission to see the recovery keys.

      Delete