The script adds a BitLocker recovery password of a computer on which it is executed to the Execution Log. When the script runs, the Execution Log is displayed to users.
To execute the script, you can, for example, create a custom command to display recovery passwords to users. Since recovery information is stored in computer objects in AD, you need to create a custom command executed on Computer objects.
To add the script to a custom command, use the Run a program or PowerShell script action.
PowerShell
# Search parameters
$searcher = $Context.TargetObject
$searcher.Criteria = New-AdmCriteria -Type "msFVE-RecoveryInformation"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SetPropertiesToLoad(@("msFVE-RecoveryPassword", "name"))
try
{
# Execute search
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
if ($searchResults.Count -eq 0)
{
# No BitLocker recovery information found under the current computer object
$Context.LogMessage("This computer doesn't store its BitLocker recovery information in AD",
"Information") # TODO: modify me
return
}
foreach ($searchResult in $searchResults)
{
$name = $searchResult.Properties["name"].Value
$recoveryPassword = $searchResult.Properties["msFVE-RecoveryPassword"].Value
$Context.LogMessage("Recovery information entry: " + $name, "Information")
$Context.LogMessage("Recovery password: " + $recoveryPassword, "Information")
}
}
finally
{
# Release resources used by the search
$searchResultIterator.Dispose()
}
Thanks for this script. Could we get one that pulls the information from Azure instead of the local AD?
Unfortunately, we do not have such a script.