bitlocker get blank keys

I am not sure how to get this worked out. I have a powershell script that gets all computers in OU that have a bitlocker key. I am trying to get all keys if they have one or not . I can not find on what to adjust . I have tried if statements and everything.

So if the computer has a key I want the computer name and key. Then i want computer and show blank space or no key if there is no bitlocker key .

Add-PSSnapin Quest.ActiveRoles.ADManagement



$SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force

$Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword

#Prompt for AD user to use
#Connect to DC
Connect-QADService -service ""  -credential $Creds
#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"
#Create array 
$export = @()
#Export computers not Bitlocker-enabled to a CSV-file
$BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,DN,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {
#Create custom object
$computerobj = New-Object -TypeName psobject
#Add name
$computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
#$computerobj | Add-Member -MemberType NoteProperty -Name "msFVE-RecoveryPassword" -Value $_."msFVE-RecoveryPassword"
$computerobj | Add-Member -MemberType NoteProperty -Name DN -Value $_."DN" 

$export += $computerobj
#Export the array with computerinformation to the user-specified path
$export  |select -Unique Name , @{N="OU";E={$_.DN.Split(',')[2,3]}}  | sort Name| Export-Csv -Path $CsvFilePath -NoTypeInformation

I dislike empty arrays and adding to them, almost never necessary. I also detest quest. Is this an old script you had laying around?

you might include a searchbase for your computers ou’s

$bitlockerinfo = get-adcomputer -filter * |% {

$blinfo = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties msfve-recoverypassword


computer = $
key = $blinfo.msfve-recoverypassword




Actually it is an old script i used at another company. I then just modify what i want. I will test your script and see what i get. i was wanting to pull OU info and OS system too. That is why i made it an empty so i could put what i wanted. But i am always willing to learn new ways to do things.

i got this error. I kind of see what you are doing . I will have to add the DN and other stuff I had collected in orignal script as i needed that.

not sure where to go on error as i am a tad fuzzy on how you are pulling the bitlocker key

At line:26 char:20

  • key = $blinfo.msfve-recoverypassword
  •                ~~~~~~~~~~~~~~~~~

Unexpected token ‘-recoverypassword’ in expression or statement.
+ CategoryInfo : ParserError: (:slight_smile: , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

oh I always forget the hyphen in the property name. Enclose it in single qoutes. $blinfo.‘msfve-recoverypassword’

The recovery info is an object under the computer that you can’t see in ADUC so we use the distinguishedname of the computer as the searchbase.

man I must be off tonight. i still can not wrap my head around how you are getting some of the info. I guess I have been using quest too long. I am trying to grab the operatingsystem, and model but failing. My thinking is that bitlockerinfo has it all because of the filter * . Am i wrong ? I pasted the results as I find it funny it is only giving me DN only when it has a key …

I am sorry for newbie questions but lost on how this is working.

Import-Module ActiveDirectory



$SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force

$Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"

$bitlockerinfo = get-adcomputer -credential $Creds -filter * |% {

$blinfo = get-ADObject -credential $Creds -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties DistinguishedName,OperatingSystem,msfve-recoverypassword


computer = $
OU = $blinfo.'DistinguishedName'
OS = $bitlockerinfo.'OperatingSystem'
key = $blinfo.'msfve-recoverypassword'
#model = $bitlockerinfo.''



$bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation
Computer               OU                   OS                        Key                                          Model

550ACB-4441		                System.Object[]	
550ACB-4442		                System.Object[]	
550ACB-4443		                System.Object[]	
550ACB-4551		                System.Object[]	
550ACB-4904	OU=Computers OU=ACB	System.Object[]	175175-376640-309111-341847-554202-390599-106645-104137
550ACB-4905	OU=Computers OU=ACB	System.Object[]	455048-446644-615450-521631-515713-002431-600864-128667
550ACB-4906	OU=Computers OU=ACB	System.Object[]	181027-201608-168696-592878-665456-054516-361405-257114

Hopefully this makes more sense.

$computers = get-adcomputer -filter * -properties operatingsystem

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key.'msfve-recoverypassword'




Thank you so much for your help. I am almost there. I still am trying to get the model number but the code written this way makes more sense. I did get an error though. I am just so close with your help. Thank you.

Get-ADObject : Cannot validate argument on parameter 'SearchBase'. The argument is null. Provide a valid value for the argument, and then 
try running the command again.
At line:18 char:94
+ ... -Recoverypassword=*)" -Searchbase $computer.distinguishedname -proper ...

I thought of adding searchbase as OU = Main but still errors. Well it does not error just hangs and does not look like it is doing anything. I think that is one good thing about quest tools. I could see the progress bar LOL

Here is code . I tried grabbing description too.

get-adcomputer -filter * -properties operatingsystem

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "OU=xxx,dc=xxx,dc=xxx,dc=xxx" -properties canonicalname,description,msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key



$bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation

The searchbase for your computers is the top line.

The searchbase for the bitlockerkey is the dn of the computer.

i am still having some issues if someone would like to help. I get no results at all.

get-adcomputer -SearchBase "ou=xx,dc=xx,dc=xx,dc=org"  -filter * -properties operatingsystem

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReporttest.csv"

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "ou=xx,dc=xx,dc=xx,dc=org" -properties canonicalname,description,msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key
ou= $bitlockerinfo.distiguishedname



$bitlockerinfo |select -Unique Computer, @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation

again, the searchbase for the recovery info object is $computer.distinguishedname.

get-ADObject -ldapfilter “(msFVE-Recoverypassword=*)” -Searchbase $computer.distinguishedname

Don’t modify the script I gave you until you understand what’s going on, you can’t just substitute variables and expect them to work. ou= $bitlockerinfo.distiguishedname is not going to give you anything.

#enter one computername with known recovery info.

$computer = 'mypc01'

$i = get-adcomputer $computer -properties operatingsystem

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $i.distinguishedname -properties canonicalname,description,msfve-recoverypassword


The code above works when they have a key. It errors out with a computer no key. I am sorry about getting confused. It did not pull description at all. I know in AD it has it as description. I really am not this stumped as i have two scripts working now but using excel to match the info up. Is there a way to paypal you something for your troubles.

i am not seeing how to attach pics. Here is what it says

6/6/2016 - cv27560 - Satellite C55-A

The last was an example of how we return objects and their properties. Now, when a property doesn’t have a value and we use the pscustomobject the value will be blank.

$computer = get-adcomputer mypc -properties operatingsystem,description

#properties of object

[pscustomobject]@{desc=$computer.description;name = $;os=$computer.operatingsystem}

Oh i understand now Dan . Thank you so much. Now I understand more on how to do it. I will go ahead and try to finish writing it to get all computers in certain OU.

Five line script + sheer boredom…

Ha i wish i had sheer boredom and could write something like that. i think i understand everything now. I will put together bitlocker info and computer info in one script now. Thank you. I wish i could be as good as you one day.