locked
PowerShell Script to Find Computer Objects Lacking a BitLocker Key RRS feed

  • Question

  • We have a workstation imaging process that encrypts the drive as one of the last steps.  On occasion, the process fails after the drive gets encrypted, but before the key gets backed up to AD.  I'm not sure why that happens as I am not the one who created and maintains the imaging process.

    We also have some younger techs who did not understand the importance of verifying that the BitLocker recovery key is backed up in AD before deploying the machine.  So we have landed in a position where we have machines in the field that do not have the BitLocker recovery key in AD.  We found this out the hard way.

    We found a script that goes through our OU in AD and lists all computer objects with their associated child objects.  We can then sift though that list to find the computers without child objects, and those are the machine without the BitLocker key backed up in AD.  That solution is passable, but I think there must be a better way.

    I have found that by opening ADSI Edit, I can see the child objects stored with each machine. It looks to me like the BitLocker recovery key is stored in an attribute of the child object called msFVE-RecoveryPassword.  Is there a way using PowerShell to query ADSI Edit and build a list all computers that lack that child object?

    Thanks for any help that you can offer!

    --Tom

    Monday, December 24, 2018 9:54 PM

All replies

  • Just Query the computer objects.

    $c = Get-AdComputer sbs01
    Get-ADObject -Filter * -SearchBase $C

    This will return all child objects.  You can set the filter to return only the "objectClass" you want.  The command returns all children of the "SearchBase" which, in this case, is set to the computer of interest.


    \_(ツ)_/

    Monday, December 24, 2018 10:09 PM
  • Just Query the computer objects.

    $c = Get-AdComputer sbs01
    Get-ADObject -Filter * -SearchBase $C

    This will return all child objects.  You can set the filter to return only the "objectClass" you want.  The command returns all children of the "SearchBase" which, in this case, is set to the computer of interest.


    \_(ツ)_/

    I got that to work for the PC that I am using as the test case for my script.  The problem is, it requires me to know the computer name ahead of time.  But what if you don't know in advance which computers are missing the BitLocker key?

    We do have a crappy script that returns every computer object, and then we can manually filter the results to get the machines which are missing the BitLocker key, but it's a lot of work.  I am trying to find a more elegant solution.

    My ultimate goal is a script that will build a list of only the computer objects in our OU that are missing the BitLocker key, backup the key to AD as it builds the list, and finally output the list off all computers that had their BitLocker keys backed up.  As a PowerShell novice, it's a bit beyond me at the moment.

    --Tom

    Friday, December 28, 2018 10:24 PM
  • Just use Get=AdComputer -Filter *

    Loop it an d use the computer distinguished name to query each computer.  It the query us null then  there is no key.  Should take about 5 lines.


    \_(ツ)_/

    Friday, December 28, 2018 11:13 PM