This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 90%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi!
We are seeking for a powershell command that would list which domain joined computers don't have bitlocker keys stored in AD.
with best regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Better use this which makes use of the attribute pwdlastset (which gets replicated alright across all DCs)
Import-Module ActiveDirectory
$date = [DateTime]::Today.AddDays(-60)
$pcs = Get-ADComputer -Filter 'PasswordLastSet -le $date' -properties PasswordLastSet
foreach ($pc in $pcs) {
$dn = $pc.DistinguishedName
$ldPath = "AD:\",$dn -join ""
if ((Get-ChildItem $ldPath | where {$_.objectClass -eq "msFVE-RecoveryInformation"}) -eq $null) {echo $pc.name}}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 95%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Just searched for something like this for clients that I set AD to save the key, but not all machines have it saved yet. This one worked like a champ, thanks!
Be aware that having "some" recovery key does not always help. It needs to fit the current partitions that you want to secure, so your approach is not securely leading to the desired result as keys can be outdated or some partitions might not have their key backuped while others have.
What you should do instead: deploy a script (as immediate scheduled task) that runs on all machines that adbackup all keys of all drives presently connected.
Hi. Thanks for your reply. Agree.
But for phase1 we would like to collect AD joined machines which don't have recovery key so we can start to investigate what's the reason that key isn't stored in AD, so we are (still) searching a powershell way for gathering those assets...
Hi @BCR ,
maybe this helps to get started:
https://4sysops.com/archives/find-bitlocker-recovery-passwords-in-active-directory-with-powershell/
The rest will be an easy if/else -> if msFVE-RecoveryPassword is not null = bitlocker recovery exists and else bitlocker recovery does not exist
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Yes, as in
$pcs = Get-ADComputer -Filter *
foreach ($pc in $pcs) {
$dn = $pc.DistinguishedName
$ldPath = "AD:\",$dn -join ""
if ((Get-ChildItem $ldPath | where {$_.objectClass -eq "msFVE-RecoveryInformation"}) -eq $null) {echo $pc.name}}
Hi @Hi @BCR ,
it works and fits your requirement?
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Hi. Thank you. Looks good enough. Now I just need to add to skip computers that havent logged into domain for the past 60 days
Hi @Hi @BCR ,
This may help: https://shellgeek.com/get-adcomputer-last-logon/
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
Don't use the shellgeek script. It does not respect that different DCs will return different values for lastlogon, so the results could be wrong up to 14 days.
Thank you all for your replies and help.