Get BitLocker Keys and store them against the asset

Scripting & APIs Scripts
#1

We find this very useful so we dont have to refer to AD for recovery keys each time a customer gets locked out.

#TODO - MAKE SURE YOU SETUP YOUR ASSET CUSTOM FIELD CALLED "Bitlocker_Key_<drive>" for each drive as a "Text Field" on your
# Syncro Device asset type. Assets -> Manage Types -> Syncro Device -> New Field
# Based on the Syncro Staff product keys script.

#TO Script - check if just encrypted by TPM and has no Recovery password and set so on Syncro

Import-Module $env:SyncroModule

#Creates temp directory if it does not exist
if (!(Test-Path -Path C:\Temp)) {
    Set-Location C:\
    md temp
}

#Set the location to C:\
Set-Location C:\Temp

if (Test-Path -Path C:) {
	#Is BL Enabled?
	$BLinfoC = Get-Bitlockervolume -MountPoint "C:"
	if($blinfoC.ProtectionStatus -EQ 'On'){

        Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Enabled_C" -Value "BitLocker is enabled"

		#Puts keys into text files	
		(Get-BitLockerVolume -MountPoint C:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyc.txt
		
		#Gets keys from text files
		[string] $textC = Get-Content C:\Temp\bitlockerkeyc.txt -raw
		
		#Adds keys to Syncro
		Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Key_C" -Value $textC
		
		#Removes text files with keys from PC for security
		Set-Location C:\Temp
		Del bitlockerkeyc.txt
	} else {
	Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Enabled_C" -Value "BitLocker is NOT enabled"
	}
	
} else {}

if (Test-Path -Path D:) {
	#Is BL Enabled?
	$BLinfoD = Get-Bitlockervolume -MountPoint "D:"
	if($blinfoD.ProtectionStatus -EQ 'On'){
		#Puts keys into text files	
		(Get-BitLockerVolume -MountPoint D:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyD.txt
		
		#Gets keys from text files
		[string] $textD = Get-Content C:\Temp\bitlockerkeyD.txt -raw
		
		#Adds keys to Syncro
		Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Key_D" -Value $textD
		
		#Removes text files with keys from PC for security
		Set-Location C:\Temp
		Del bitlockerkeyD.txt
	} else {}
	
} else {}

if (Test-Path -Path E:) {
	#Is BL Enabled?
	$BLinfoE = Get-Bitlockervolume -MountPoint "E:"
	if($blinfoE.ProtectionStatus -EQ 'On'){
		#Puts keys into text files	
		(Get-BitLockerVolume -MountPoint E:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyE.txt
		
		#Gets keys from text files
		[string] $textE = Get-Content C:\Temp\bitlockerkeyE.txt -raw
        #write-host "E:\ BitLocker Key $textE"
		
		#Adds keys to Syncro
		Set-Asset-Field -Name "Bitlocker_Key_E" -Value $textE
		
		#Removes text files with keys from PC for security
		Set-Location C:\Temp
		Del bitlockerkeyE.txt
	} else {}
	
} else {}
#2

Rhodes,
The script is completing but the value is not being returned [BLK or “BitLocker is NOT enabled”]

#3

Here’s another version that I put together:

<############################

How to use:

This script gather the BitLocker volumes, gather the keys, and write the keys for each drive to an asset custom field.

Asset fields should be created with this format: BitLocker_key_[drive letter]
For example, BitLocker_key_C (case sensitive) would be for drive C. Each drive will need an asset field.
The script output will also state what field the key was saved to.

############################>

Import-Module $env:SyncroModule

$drives = (Get-BitLockerVolume).MountPoint.Replace(":","")
Write-Host "These BitLocker volumes were found: $drives `nGetting keys..."
Foreach ($i in $drives)
{
    $key = (Get-BitLockerVolume -MountPoint $i).keyprotector.recoverypassword
        If ($key) {
        Write-Host "BitLocker Key for Drive $i`: $key `nWritten to 'BitLocker_Key_$i' asset custom field"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value $key

    } else {
        Write-Host "No BitLocker keys found for Drive $i"
        Set-Asset-Field -Name "BitLocker_Key_$i" -Value "No BitLocker keys found for Drive $i"
    }
}
#5

I’ve tried both of these scripts. They output the recovery key perfectly, but I can’t seem to get it to add to a custom asset field.

I can’t seem to find anywhere to create a custom asset field for anything.

#6

Here’s the code that finishes building the string I use and writes it to a “text area” field:

$writeBack = $writeBack + "Snapshot: " + (Get-Date -Format "yyyy-MM-dd HH:mm`n") + $builtKeys
Set-Asset-Field -Name "BitLocker Keys" -Value $writeBack

What does your code look like for the Set-Asset-Field chunk? (You said “add.” Are you trying to append to the existing value perchance?)

#7

Here’s my overly-elaborate script: