Script Repository

Output BitLocker recovery password

February 18, 2021

The script adds a BitLocker recovery password of a computer on which it is executed to the Execution Log. When the script runs, the Execution Log is displayed to users.

Using the script, you can, for example, create a custom command to display recovery passwords to users. Since recovery information is stored in computer objects in AD, you need to create a custom command executed on Computer objects.

To add the script to a custom command, use the Run a program or PowerShell script action.
Edit Remove
    # Find an object that stores BitLocker recovery information
    $searcher = $Context.TargetObject
    $searcher.SearchFilter = "(objectClass=msFVE-RecoveryInformation)"
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SetPropertiesToLoad(@("msFVE-RecoveryPassword", "name"))
    $searchResultIterator = $searcher.ExecuteSearch()
    $searchResults = $searchResultIterator.FetchAll()
    if ($searchResults.Count -eq 0)
        # No BitLocker recovery information found under the current computer object
        $Context.LogMessage("This computer doesn't store its BitLocker recovery information in AD", 
            "Information") # TODO: modify me
    foreach ($searchResult in $searchResults)
        $name = $searchResult.Properties["name"].Value
        $recoveryPassword = $searchResult.Properties["msFVE-RecoveryPassword"].Value
        $Context.LogMessage("Recovery information entry: " + $name, "Information")
        $Context.LogMessage("Recovery password: " + $recoveryPassword, "Information")
    # Release resources used by the search

Comments ( 0 )
No results found.
Leave a comment