0

I'm wanting to get the BitLocker recovery password via powershell by providing the recovery key ID. I know this is doable via the Active Directory Users and Computers application, which is essentially what I'm trying to reproduce.

My process is currently as follows:

  • Prompt the user for the recovery key id
  • Get all AD objects where the ObjectClass is msFVE-RecoveryInformation
  • Filter those results by the DistinguishedName which should allow me to get the individual record I'm wanting.
  • Write out the resulting BitLocker recovery password

The problem I run into is that when using a variable in my Where-Object clause, I get no results. If I hard code in the recovery key ID, it works just fine.

Here's the code I have so far:

$key = (read-host -Prompt "Enter starting portion of recovery key ID (8 Digits)").ToUpper()
$recoveryInformation = Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' | Where-Object {$_.DistinguishedName -like "*$key*"}
echo $recoveryInformation

I've tried doing this a couple of different ways and they all ended with the same result where a hard coded value would work and a variable would not. This leads me to believe it is something with the way I am getting the user input, but I've hit a wall. Any help would be greatly appreciated.

End Result

In the end, the problem with my code is that I was using where-object instead of where. Once I made that change, everything worked as I had intended it.

The examples provided by postanote give a much better output and are definitely more robust. The last example is the best one to give the end result I was looking for.

Death259
  • 153
  • 2
  • 14

1 Answers1

1

Why not just use the built-in PowerShell cmdlet specifically designed to get this information?

Here are a few things to directly use or tweak for your use case. See example #5.

Get BitLocker Recovery Information from AD Using PowerShell

# Example Commands

# 1. Get BitLocker recovery information for a single computer:

Get-BitLockerRecovery computer1

# 2. Get BitLocker recovery information for a list of computers:
Get-BitLockerRecovery "computer1","computer2"

# or

"computer1","computer2" | Get-BitLockerRecovery

# 3. Get BitLocker recovery information for computers in an OU:
Get-ADComputer -Filter { name -like "*" } `
  -SearchBase "OU=Sales,DC=fabrikam,DC=com" |
  Get-BitLockerRecovery

# 4. Get the BitLocker recovery information for a specific password ID:
Get-BitLockerRecovery -PasswordID B1FED823

# 5. Get BitLocker recovery information for all msFVE-RecoveryInformation objects in the current domain:
$filter = "(objectClass=msFVE-RecoveryInformation)"
Get-ADObject -LDAPFilter $filter | ForEach-Object {
  Get-ADPathname (Get-ADPathname $_.DistinguishedName `
  -Format X500Parent) -Format Leaf -ValuesOnly |
  Get-BitLockerRecovery
}

Or in testing your variable approach not using a key string passed in by a user ...

# First ask for a computername
$usrInput = Read-Host "Type in name of computer you want to retrieve the BitLocker recovery information"

# Get the computer object from Active Directory
$objComputer = Get-ADComputer $usrInput

# Find the AD object which match the computername and is of the class "msFVE-RecoveryInformation"
$objADObject = get-adobject -Filter * | Where-Object {$_.DistinguishedName -match $objComputer.Name -and $_.ObjectClass -eq "msFVE-RecoveryInformation"}

# Filter the result so you'll get only the recovery key
(($objADObject.DistinguishedName.Split(",")[0]).split("{")[1]).Substring(0,$trimming.Length-1)

Or this approach ...

$computers = get-adobject -Filter * | Where-Object {$_.ObjectClass -eq "msFVE-RecoveryInformation"}

$key = (read-host -Prompt "Enter starting portion of recovery key ID").ToUpper()
$records = $computers | where {$_.DistinguishedName -like "*$key*"}

foreach ($rec in $records) {
    $computer = get-adcomputer -identity ($records.DistinguishedName.Split(",")[1]).split("=")[1]
    $recoveryPass = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'
    [pscustomobject][ordered]@{
        Computer = $computer
        'Recovery Key ID' = $rec.Name.Split("{")[1].split("}")[0]
        'Recovery Password' = $recoveryPass.'msFVE-RecoveryPassword'
    } | Format-List
}
postanote
  • 15,138
  • 2
  • 14
  • 25
  • First off, thank you so much for being thorough. Your examples worked great. In looking more closely at the examples i was also able to find the fault in my code. Instead of using where-object i should have just used where. Once i did that, i was able to get my code to work as i had intended it. Your examples though, gave much more robust output, so I'm going to end up doing a combination of yours and mine. Once again, thank you so much! – Death259 Oct 29 '18 at 04:04
  • No worries and glad they got you what you needed. – postanote Oct 29 '18 at 05:17