Skip to content

Instantly share code, notes, and snippets.

@ak9999
Created February 7, 2020 13:48
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ak9999/5e558aca25dee2f1dfbf5f91d38ef358 to your computer and use it in GitHub Desktop.
Retrieve BitLocker Recovery Keys From Active Directory
# Generate Report of BitLocker Status for Computers in the BitLocker Machines OU.
# Sources: https://4sysops.com/archives/find-bitlocker-recovery-passwords-in-active-directory-with-powershell/
param([string]$OutputDirectory="~/Desktop",[string]$OrganizationalUnit=([adsi]'').distinguishedName)
if(!([Security.Principal.WindowsPrincipal] `
[Security.Principal.WindowsIdentity]::GetCurrent() `
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host -ForegroundColor Yellow "Only Administrators can read BitLocker Recovery Keys."
exit
}
$computers = Get-ADComputer -Filter * -SearchBase $OrganizationalUnit
$results = ForEach ($computer in $computers) {
$dn = $computer.DistinguishedName
$ldPath = "AD:\",$dn -join ""
$ldObj = Get-ChildItem $ldPath | where {$_.objectClass -eq "msFVE-RecoveryInformation"}
$ldObj = "AD:\",$ldObj.DistinguishedName -join ""
$pass = Get-Item $ldObj -properties "msFVE-RecoveryPassword"
New-Object PSObject -Property @{
ComputerName = $computer.Name
RecoveryPassword = $pass.'msFVE-RecoveryPassword'
}
}
if(!(Test-Path -Path $OutputDirectory)) {
New-Item -ItemType Directory -Path $OutputDirectory
}
$results | Export-Csv -Path "$OutputDirectory\bitlocker-report-$(Get-Date -format "yyyyMMdd-HHmm").csv" -NoTypeInformation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment