none
Cannot retrieve bitlocker key via powershell RRS feed

  • General discussion

  • Hi

    Recently I am unable to retrieve the bitlocker key via powershell.

    My code worked twice before. But recently when I am trying to retrieve the information I am unable to.

    $computer = get-adcomputer computername Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties "msFVE-RecoveryPassword" | select msFVE-RecoveryPassword

    This is the code that I use and now when I am running the code it just takes me back to the prompt without any errors. I know the bitlocker key is in the AD as I can search for it on the AD GUI.

    I posted this on the powershell.org site and was told it may be possible that an update might have changed where the bitlocker recovery password is held.

    There has been a bunch of updates made on the server but these are the ones I think may have stopped the code from working:

    KB3074543 - .net framework 3.5.1 Server 2008 R2 SP1
    KB3077989 - .net framework 3.5.1 Server 2008 R2 SP1
    KB3122648 - .net framework 3.5.1 Server 2008 R2 SP1
    KB3127220 - .net framework 3.5.1 Server 2008 R2 SP1
    KB4014573 - .net framework 3.5.1 Server 2008 R2 SP1
    KB4014504 - .net framework 3.5.1 Server 2008 R2 SP1

    KB4014573 seems to affect a powershell v3.0 command but not relating to the bitlocker key issue I am having.

    I am wondering if someone in the community might be able to put me in the right direction as the DC is running on Server 2008 R2 on a VM that has 4 GB of RAM, i find it painfully slow and prefer to use powershell to retrieve information.

    Many thanks

    Ben

    • Changed type Bill_Stewart Wednesday, September 13, 2017 9:56 PM
    • Moved by Bill_Stewart Wednesday, September 13, 2017 9:56 PM Abandoned
    Monday, June 26, 2017 10:58 AM

All replies

  • Please look at the script at https://social.technet.microsoft.com/Forums/lync/en-US/be8a1dea-56e2-4437-ba5f-6cae965a213d/lookup-bitlocker-recovery-key-with-key-id-in-powershell?forum=winserverpowershell

    That script uses the recoveryID to lookup the key. So when you service a computer or partition and try to unlock it, the ID is displayed and you only need to supply the script with the first 4 characters, at least in my modified version on that linked site.

    Monday, June 26, 2017 11:45 AM
  • I wrote an article about how to do this a while back:

    Windows IT Pro - Get BitLocker Recovery Information from AD Using PowerShell


    -- Bill Stewart [Bill_Stewart]

    Monday, June 26, 2017 2:20 PM
  • Sethfrid, you need to give feedback.
    Thursday, June 29, 2017 7:45 AM
  • Hi

    Apologies for the lateness. I looked at the solution from Bill and tried his script that was provided. I maybe doing this wrong but this is the issue I am getting.

    I take the script from Bill and save as a PS1 file.

    I run ps as admin and run the script.

    I am prompted to enter a computer name which I enter and I am taken back to the prompt with no error messages.

    I know the recovery key is there as I can see it in the AD GUI but not in powershell.

    I will need to try again with the solution from Ronald as the for each was failing for me. I need to get the error, it could just be me doing something wrong.

    Thanks

    Ben

    Thursday, June 29, 2017 2:24 PM
  • Hi Roland

    I took another look at your script that you provided. The errors I am getting is:

    You cannot call a method on a null-valued expression.
    At C:\Users\svca\Desktop\bit.ps1:6 char:75
    +     $computer = get-adcomputer -identity ($records.DistinguishedName.Split <<
    << (",")[1]).split("=")[1]
        + CategoryInfo          : InvalidOperation: (Split:String) [], RuntimeExce
       ption
        + FullyQualifiedErrorId : InvokeMethodOnNull

    Get-ADObject : Cannot validate argument on parameter 'SearchBase'. The argument
     is null. Supply a non-null argument and try the command again.
    At C:\Users\svca\Desktop\bit.ps1:7 char:99
    +     $recoveryPass = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInfo
    rmation'} -SearchBase <<<<  $computer.DistinguishedName -Properties 'msFVE-Reco
    veryPassword' | where {$_.DistinguishedName -like "*$key*"}
        + CategoryInfo          : InvalidData: (:) [Get-ADObject], ParameterBindin
       gValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Activ
       eDirectory.Management.Commands.GetADObject

    You cannot call a method on a null-valued expression.
    At C:\Users\svca\Desktop\bit.ps1:10 char:44
    +         'Recovery Key ID' = $rec.Name.Split <<<< ("{")[1].split("}")[0]
        + CategoryInfo          : InvalidOperation: (Split:String) [], RuntimeExce
       ption
        + FullyQualifiedErrorId : InvokeMethodOnNull

    Does this mean that there is a limitation on powershell due to the version I am using?

    Thanks

    Ben

    Thursday, June 29, 2017 2:42 PM
  • Which script are you referring to? The one in my article or the one in the other forum thread?

    -- Bill Stewart [Bill_Stewart]

    Thursday, June 29, 2017 2:48 PM
  • Sethfrid, just for a test, execute it just like I did, which is on win10 with RSAT installed, as domain admin.
    Thursday, June 29, 2017 2:58 PM
  • Hi Bill

    It was the script in your article. 

    That is what I am having problems with.

    Thanks

    Ben

    Monday, July 3, 2017 7:04 AM
  • It would appear from your error message that you are trying to parse input from an input file of some kind and pass that to the script. If that is what you are doing, you need to post an example of what your input looks like and precisely how you are trying to use the script to process that input. (Your post provides insufficient context to have an idea of what exactly is going wrong.)

    -- Bill Stewart [Bill_Stewart]

    Monday, July 3, 2017 2:45 PM
  • Sethfrid, Bill...

    Please look at this thread and consider to read it again. Sethfrid wrote days ago:

    I looked at the solution from Bill and tried his script that was provided. I maybe doing this wrong but this is the issue I am getting.

    I take the script from Bill and save as a PS1 file.

    I run ps as admin and run the script.

    I am prompted to enter a computer name which I enter and I am taken back to the prompt with no error messages.

    Understood? No error message. Then he tried mine and quoted the error he got with mine. I asked him do execute it like I did, but that was not done so far.

    Tuesday, July 4, 2017 5:13 AM
  • The OP said he was using the script from my article but then was getting errors, but if you look at the error, it seems clear that he's not just running the script from the PowerShell prompt but rather trying to do some kind of input processing. Hence my question. (In his response the OP called you "Roland", but I think he meant me.) The error record from his data seems not to be from the script I wrote, so I'm not sure what the OP is doing.

    In any case, I think this thread illustrates the need to ask a good, clear, concise question that provides sufficient information so that people answering don't have to guess at details and ask "20 questions" to get needed information.


    -- Bill Stewart [Bill_Stewart]



    Tuesday, July 4, 2017 2:09 PM
  • Hello Everyone

    Sorry I had notifications turned on but I was not getting any alerts and only came in because running the code i originally posted is now working.

    I do not see anything new installed so not sure why it was working then stopped working and now working again.

    Thanks to all that replied. :)

    Tuesday, August 8, 2017 9:05 AM