The script adds a BitLocker recovery password of a computer on which it is executed to the Execution Log. When the script runs, the Execution Log is displayed to users.
To execute the script, you can, for example, create a custom command to display recovery passwords to users. Since recovery information is stored in computer objects in AD, you need to create a custom command executed on Computer objects.
To add the script to a custom command, use the Run a program or PowerShell script action.
PowerShell
try
{
# Find an object that stores BitLocker recovery information
$searcher = $Context.TargetObject
$searcher.SearchFilter = "(objectClass=msFVE-RecoveryInformation)"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.SetPropertiesToLoad(@("msFVE-RecoveryPassword", "name"))
$searchResultIterator = $searcher.ExecuteSearch()
$searchResults = $searchResultIterator.FetchAll()
if ($searchResults.Count -eq 0)
{
# No BitLocker recovery information found under the current computer object
$Context.LogMessage("This computer doesn't store its BitLocker recovery information in AD",
"Information") # TODO: modify me
return
}
foreach ($searchResult in $searchResults)
{
$name = $searchResult.Properties["name"].Value
$recoveryPassword = $searchResult.Properties["msFVE-RecoveryPassword"].Value
$Context.LogMessage("Recovery information entry: " + $name, "Information")
$Context.LogMessage("Recovery password: " + $recoveryPassword, "Information")
}
}
finally
{
# Release resources used by the search
$searchResultIterator.Dispose()
}