How do I get a list of all our bitlocker keys already in Azure?

Allan, Robyne 70

We want to enable stale device clean up in Azure but the Microsoft articles state we need to get the list of bitlocker keys before we enable the clean up. We have tried several scripts with no luck. I am an Intune Administrator and my teammate is a Global Admin but we still get errors (one is we are not authorized) in the scripts we have tried. I would like a simple way of getting the bitlocker keys saved to an excel file so we can keep that on hand before doing the clean up. Any suggestions would be appreciated.

Dillon Silzer 56,681 Reputation points

2023-06-14T21:33:40.0466667+00:00

What is the exact error you are receiving?

Allan, Robyne 70

I am trying this script being deployed to a group in intune - when I run it as a sp1 locally I get

False

I will add some others we have tried

try{
$BLV = Get-BitLockerVolume -MountPoint $env:SystemDrive
        $KeyProtectorID=""
        foreach($keyProtector in $BLV.KeyProtector){
            if($keyProtector.KeyProtectorType -eq "RecoveryPassword"){
                $KeyProtectorID=$keyProtector.KeyProtectorId
                break;
            }
        }

       $result = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KeyProtectorID -whatif
return $true
}
catch{
     return $false
}

Allan, Robyne 70 Reputation points

2023-06-14T22:02:42.2333333+00:00
Allan, Robyne 70 Reputation points

2023-06-14T22:09:20.87+00:00

The next script

#Client and user data

$AccountName = xxxxxxx

$AccountPassword = 'xxxxxxxxxx'

#Variable for Pscredential object

$SecurePassword = ConvertTo-SecureString $AccountPassword -AsPlainText -Force

$Credential = New-Object System.Management.Automation.PSCredential -argumentlist $AccountName, $SecurePassword

Connect-AzureAD -Credential $Credential

#Write-Host "Enter your xxxxxx account and password" -BackgroundColor Black -ForegroundColor Yellow

$ClientId = "xxxx"

$ClientSecret = 'xxxxxx'

$TenantID = ""

$GraphUri = 'https://graph.microsoft.com'

$GraphVersion = 'beta'

Authentication url

$AzureResourceURI = https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token

Construct the Body for the POST

$Body = "grant_type=password"`

+ "&username=" + $Accountname `

+ "&client_id=" + $ClientId `

+ "&client_secret=" + $ClientSecret`

+ "&password=" + $AccountPassword`

+ "&scope=https://graph.microsoft.com/.default"

The result should contain a token for use with Graph

$Response = Invoke-WebRequest -Uri $AzureResourceURI -Method POST -Body $Body -UseBasicParsing

$ResponseJSON = $Response | ConvertFrom-Json

Add the token to headers for the Graph request

$Headers = @{

Authorization = "Bearer" + $ResponseJSON.access_token

}

#Run API call

$Deviceuri = "$GraphUri/$GraphVersion/devices"

$AllDevices = Invoke-RestMethod -Uri $Deviceuri -Headers $Headers -Method Get

Gave this error:

Accepted answer

Vasil Michev 100.2K Reputation points MVP

2023-06-15T15:54:56.4733333+00:00
Not sure what script you have been playing with, but getting the list is pretty straightforward via the Graph API: https://learn.microsoft.com/en-us/graph/api/bitlocker-list-recoverykeys?view=graph-rest-1.0

If you prefer doing it via PowerShell, you can use the Graph SDK for PowerShell and the following cmdlets:

Connect-MgGraph -Scopes BitLockerKey.Read.All Get-MgInformationProtectionBitlockerRecoveryKey -All
Please sign in to rate this answer.

4 people found this answer helpful.
Wagar, Nancy 11 Reputation points

2023-06-15T16:42:22.9233333+00:00

Thank you for providing this information.

Unfortunately Get-MgInformationProtectionBitlockerRecveryKey operations does not return the key property we need. We need to use the Get-bitlockerRecoveryKey command. To get the specified BitLocker key including its key property:

GET /informationProtection/bitlocker/recoveryKeys/{bitlockeryRecoveryKeyId}?$select=key

I'm thinking this will only give me one device, we are looking to export keys for all devices (that have keys of course).

Thank you.

Vasil Michev 100.2K Reputation points MVP

2023-06-15T17:19:21.5033333+00:00

If you need the key value as well, you will need to iterate over each device. Something like this:

Get-MgInformationProtectionBitlockerRecoveryKey | select Id,CreatedDateTime,DeviceId,@{n="Key";e={(Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.Id -Property key).key}},VolumeType

Wagar, Nancy 11 Reputation points

2023-06-15T20:22:16.02+00:00

Thank you Vasil, we did get keys for 24 devices using that cmd above, missing about 1000. Any ideas?

Wagar, Nancy 11 Reputation points

2023-06-15T21:54:24.8533333+00:00

I think I found the missing "-All" parameter, thank you!

Givary-MSFT 30,931 Reputation points Microsoft Employee

2023-06-19T05:29:33.8566667+00:00

@Allan, Robyne Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

nada belaziz 0 Reputation points

2023-11-03T16:42:33.3466667+00:00

Thanks !

Max Nikiforov 15 Reputation points

2024-01-15T13:31:42.97+00:00

Hi Vasil Your cmdlets works well but it only shows BitlockerKeyId, Date and DeviceId and nothing about Bitlocker Recovery Key which need to provide to user in case of any issues. Any ideas how to get the list with Bitlocker Recovery Key?

Max Nikiforov 15 Reputation points

2024-01-15T13:36:00.2533333+00:00

Ah sorry for my previous comment, this works! Get-MgInformationProtectionBitlockerRecoveryKey -All | select Id,CreatedDateTime,DeviceId,@{n="Key";e={(Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.Id -Property key).key}},VolumeType

Marjan Vidovic 5 Reputation points

2024-01-15T17:16:43.2433333+00:00

Is it possible that someone rewrites the script so that it only outputs all the computer accounts that don't have a recovery key? Would help a lot. And thanks in advance for all the input.

Spartan 0 Reputation points

2024-01-18T21:37:57.9533333+00:00

Vasil Michev Script is great! How can we display each device name with the output?

Vasil Michev 100.2K Reputation points MVP

2024-01-25T14:35:05.8966667+00:00

You guys are annoying... I put together a short script that addresses all the requests above: show device name, device owner, additional device details, or even a device-centric report with the BitLocker keys added as additional columns. Check the details here: https://www.michev.info/blog/post/5950/reporting-on-bitlocker-recovery-keys-and-associated-devices
Sign in to comment

3 additional answers

eli sorow 46 Reputation points

2023-11-22T11:21:31.4833333+00:00

Hello,

is there anyway to have the information : key presence per device ?

the Get bitlockerRecoveryKey cmdlet does not help

the goal is to get devices that have not the bitlocker key in azure

having all devices and the key will be helpfull to get device with missing key.

thank you for your help

BR

Eli
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Allan, Robyne 70 Reputation points

2024-01-15T20:31:36.21+00:00

Vasil helped us resolve our issue. Here is the script that worked for us to get all the bitlocker keys from Azure. Import-Module Microsoft.Graph.Identity.DirectoryManagement Connect-MgGraph -Scopes "bitlockerkey.readbasic.all", "bitlockerkey.read.all" -TenantId xxxxxxxxxxxxx Get-MgInformationProtectionBitlockerRecoveryKey -all | select Id,CreatedDateTime,DeviceId,@{n="Key";e={(Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.Id -Property key).key}},VolumeType | export-csv c:\tmp\bitlocker.csv
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

How do I get a list of all our bitlocker keys already in Azure?

Authentication url

Construct the Body for the POST

The result should contain a token for use with Graph

Add the token to headers for the Graph request

3 additional answers