0

I have a very weird problem. I have a PowerShell script that runs during an MDT deployment task sequence. I'm using the following command to get the BitLocker recovery key so I can add it to my log

$result = Get-ADComputer $NewName -Credential $cred -Server $pdc
$BitLocker = Get-ADObject -Credential $cred -Server $pdc -SearchBase $result.DistinguishedName -Filter 'objectclass -eq "msFVE-RecoveryInformation"' -Properties msFVE-RecoveryPassword

This code works fine if I run it on a production machine using PowerShell ISE. If I look at the property values returned, I get this.

BitLocker.DistinguishedName      : CN=2022-01-24T10:25:24-08:00{7D23F401-9CA5-4CA2-9EC5-9463FDB32547},...
BitLocker.msFVE-RecoveryPassword : 626241-008492-619938-120065-533005-637615-269346-477114
BitLocker.Name                   : 2022-01-24T10:25:24-08:00{7D23F401-9CA5-4CA2-9EC5-9463FDB32547}
BitLocker.ObjectClass            : msFVE-RecoveryInformation
BitLocker.ObjectGUID             : 6d1e0e81-6b5e-44ca-abd2-a901ade8eb39

but when I run the same code during the task sequence I get back this

BitLocker.DistinguishedName      : CN=2022-01-24T10:25:24-08:00{7D23F401-9CA5-4CA2-9EC5-9463FDB32547},...
BitLocker.msFVE-RecoveryPassword : 
BitLocker.Name                   : 2022-01-24T10:25:24-08:00{7D23F401-9CA5-4CA2-9EC5-9463FDB32547}
BitLocker.ObjectClass            : msFVE-RecoveryInformation
BitLocker.ObjectGUID             : 6d1e0e81-6b5e-44ca-abd2-a901ade8eb39

The recovery key is definitely in AD, I can see it when I look in ADUC but I can not seem to get it during the task sequence. Very bizarre. Anyone have any thoughts?

Ed R.
  • 159
  • 1
  • 9
  • Seems like a permissions issue, are you scheduling the task with admin credentials that can reach your DC? – Abraham Zinala Jan 24 '22 at 20:40
  • Yes, the task is running with admin credentials. The credential object, $cred, is using the same account and password in both cases. – Ed R. Jan 24 '22 at 21:10
  • In which step of your task sequence are you running your script? Is the AD Computer already updated with the Bitlocker recovery key at that time? – ZivkoK Jan 26 '22 at 13:13
  • This is literally the last step of the task sequence. At this point of the process the computer is already joined to the domain and the machine has been rebooted. In this step i'm only cleaning things up and finalizing all the logs. I want to capture the recovery key so I can add an entry to the log indicating the the key is safely in AD. – Ed R. Jan 27 '22 at 21:03
  • Here's some more interesting info. I put this code in a loop so I could continue to try it for a while. I also tested the type of objects being returned. The $result is a Microsoft.ActiveDirectory.Management.ADComputer, the $BitLocker is a Microsoft.ActiveDirectory.Management.ADObject and the $BitLocker.msFVE-RecoveryPassword is a string when I manually run the code but is null when run during the task sequence. With the loop I can add a Start-Sleep and a bail-out counter to control the amount of time to let it run. Even after three minutes i never get the recovery key, but it is in AD. – Ed R. Jan 28 '22 at 16:23
  • At this time, is the key available locally? Can you run the command to check? *manage-bde -protectors -get c:* (I suppose we are talking about the system drive) – ZivkoK Jan 31 '22 at 23:32
  • Yes, "manage-bde -protectors -get c:" does return the recovery key. The key is also stored in a text file on the root of the C: drive. That's another thing I'd like to clean up. Once I've verified the key is in AD, I would have my script remove the local file. – Ed R. Feb 01 '22 at 00:01

0 Answers0