We find this very useful so we dont have to refer to AD for recovery keys each time a customer gets locked out.
#TODO - MAKE SURE YOU SETUP YOUR ASSET CUSTOM FIELD CALLED "Bitlocker_Key_<drive>" for each drive as a "Text Field" on your
# Syncro Device asset type. Assets -> Manage Types -> Syncro Device -> New Field
# Based on the Syncro Staff product keys script.
#TO Script - check if just encrypted by TPM and has no Recovery password and set so on Syncro
Import-Module $env:SyncroModule
#Creates temp directory if it does not exist
if (!(Test-Path -Path C:\Temp)) {
Set-Location C:\
md temp
}
#Set the location to C:\
Set-Location C:\Temp
if (Test-Path -Path C:) {
#Is BL Enabled?
$BLinfoC = Get-Bitlockervolume -MountPoint "C:"
if($blinfoC.ProtectionStatus -EQ 'On'){
Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Enabled_C" -Value "BitLocker is enabled"
#Puts keys into text files
(Get-BitLockerVolume -MountPoint C:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyc.txt
#Gets keys from text files
[string] $textC = Get-Content C:\Temp\bitlockerkeyc.txt -raw
#Adds keys to Syncro
Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Key_C" -Value $textC
#Removes text files with keys from PC for security
Set-Location C:\Temp
Del bitlockerkeyc.txt
} else {
Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Enabled_C" -Value "BitLocker is NOT enabled"
}
} else {}
if (Test-Path -Path D:) {
#Is BL Enabled?
$BLinfoD = Get-Bitlockervolume -MountPoint "D:"
if($blinfoD.ProtectionStatus -EQ 'On'){
#Puts keys into text files
(Get-BitLockerVolume -MountPoint D:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyD.txt
#Gets keys from text files
[string] $textD = Get-Content C:\Temp\bitlockerkeyD.txt -raw
#Adds keys to Syncro
Set-Asset-Field -Subdomain "alamo" -Name "Bitlocker_Key_D" -Value $textD
#Removes text files with keys from PC for security
Set-Location C:\Temp
Del bitlockerkeyD.txt
} else {}
} else {}
if (Test-Path -Path E:) {
#Is BL Enabled?
$BLinfoE = Get-Bitlockervolume -MountPoint "E:"
if($blinfoE.ProtectionStatus -EQ 'On'){
#Puts keys into text files
(Get-BitLockerVolume -MountPoint E:).KeyProtector.recoverypassword > C:\Temp\bitlockerkeyE.txt
#Gets keys from text files
[string] $textE = Get-Content C:\Temp\bitlockerkeyE.txt -raw
#write-host "E:\ BitLocker Key $textE"
#Adds keys to Syncro
Set-Asset-Field -Name "Bitlocker_Key_E" -Value $textE
#Removes text files with keys from PC for security
Set-Location C:\Temp
Del bitlockerkeyE.txt
} else {}
} else {}
<############################
How to use:
This script gather the BitLocker volumes, gather the keys, and write the keys for each drive to an asset custom field.
Asset fields should be created with this format: BitLocker_key_[drive letter]
For example, BitLocker_key_C (case sensitive) would be for drive C. Each drive will need an asset field.
The script output will also state what field the key was saved to.
############################>
Import-Module $env:SyncroModule
$drives = (Get-BitLockerVolume).MountPoint.Replace(":","")
Write-Host "These BitLocker volumes were found: $drives `nGetting keys..."
Foreach ($i in $drives)
{
$key = (Get-BitLockerVolume -MountPoint $i).keyprotector.recoverypassword
If ($key) {
Write-Host "BitLocker Key for Drive $i`: $key `nWritten to 'BitLocker_Key_$i' asset custom field"
Set-Asset-Field -Name "BitLocker_Key_$i" -Value $key
} else {
Write-Host "No BitLocker keys found for Drive $i"
Set-Asset-Field -Name "BitLocker_Key_$i" -Value "No BitLocker keys found for Drive $i"
}
}
Here’s my attempt at a script. Not writing any output to terminal, no files are stored to prevent leakage storing the volume id’s and keys for all volumes found attached when the script runs. The information is put into a comment in the ticket, and prepended to the previous run. The system drive key is recorded and saved as an independent field. All my scripts create tickets and comments, etc. Since the volume IDs are stored in the comments, you can search for it.
Need to have some custom asset fields:
$BillRMMTicket - Customer custom field checkbox - will either set ticket to billable or not when it creates the time entry.
$BitLocker_HomeDrive_Key - Pull from asset to compare
$BitLocker_Info - Pull history so that we can prepend the run
$BitLocker_HomeDrive_Active - Is BitLocker active on the endpoint systemdrive
<#
Powershell Script to retrieve BitLocker Keys and settings
Expecting to receive the following parameters
- $BillRMMTicket - Customer custom field checkbox
- $BitLocker_HomeDrive_Key - Pull from asset to compare
- $BitLocker_Info - Pull history so that we can prepend the run
- $BitLocker_HomeDrive_Active - Is BitLocker active on the endpoint systemdrive
#>
$tls = "Tls";
[System.Net.ServicePointManager]::SecurityProtocol = $tls;
Import-Module $env:SyncroModule
$localfolder = "$Env:AllUsersProfile\RMM"
$TicketSubject = 'BitLocker Status and Key Retrieval'
$TicketType = 'Software'
$TicketTime = '15'
$NewTicket = Create-Syncro-Ticket -Subject $TicketSubject -IssueType $TicketType -Status "New"
$TicketID = $NewTicket.ticket.id
$TicketUser = "syncrouseremail"
$startAt = (Get-Date).AddMinutes(-$TicketTime).toString("o")
$OperationSummary = Get-Date -Format u
$BLStatusChanged = $False
#Ensure that our working folder is present
If ((Test-Path -Path $localfolder) -eq $False) {
New-Item -Path $localfolder -ItemType "directory"
}
#Convert Parameters from Syncro to Boolean
If ($BitLocker_HomeDrive_Active -eq "yes") {
$BitLocker_HomeDrive_Active = $true
} ElseIf ($BitLocker_HomeDrive_Active -eq "no"){
$BitLocker_HomeDrive_Active = $False
}
If ($BillRMMTicket -eq "yes") {
$BillRMMTicket = $true
} ElseIf ($BillRMMTicket -eq "no"){
$BillRMMTicket = $false
}
$BitlockerVolumes = Get-BitLockerVolume
$BitlockerVolumes |
ForEach-Object {
$MountPoint = $_.MountPoint
$Protected = $_.ProtectionStatus
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
$BitLocker = Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume" -Filter "DriveLetter = '$MountPoint'"
$DeviceID = $BitLocker.DeviceID
if ($Protected) {
#Write-Output "Encrypted : $MountPoint | VolumeID : $DeviceID | Key : $RecoveryKey"
$OperationSummary = $OperationSummary + "`n" + "Encrypted : $MountPoint | VolumeID : $DeviceID | Key : $RecoveryKey"
} else {
#Write-Output "Not Encrypted : $MountPoint | VolumeID : $DeviceID"
$OperationSummary = $OperationSummary + "`n" + "Not Encrypted : $MountPoint | VolumeID : $DeviceID | Key : None"
}
if ($Env:SystemDrive.ToLower().contains($MountPoint.ToLower())) {
if (-not $Protected ) {
#We need to see if it was previously active
if ($BitLocker_HomeDrive_Active) {
#Status has changed
$BLStatusChanged = $true
}
#Now we need to uncheck the Active flag
Set-Asset-Field -Name "BitLocker_HomeDrive_Active" -Value $false
} else {
#Make sure the active box is checked
Set-Asset-Field -Name "BitLocker_HomeDrive_Active" -Value $true
}
#We found the System Drive, let's compare to what was sent, and compare.
if ($RecoveryKey -eq $BitLocker_HomeDrive_Key) {
#Recovery Key is the same, no need to update
$OperationSummary = $OperationSummary + "`n" + "No change in System Drive Key"
} elseif ($BitLocker_HomeDrive_Key -eq $null) {
#Recovery key is not present, so we're going to store
Set-Asset-Field -Name "BitLocker_HomeDrive_Key" -Value $RecoveryKey
$OperationSummary = $OperationSummary + "`n" + "Storing System Drive Key in Asset"
} else {
#Recovery key is different, so we need to update
Set-Asset-Field -Name "BitLocker_HomeDrive_Key" -Value $RecoveryKey
$OperationSummary = $OperationSummary + "`n" + "Updating System Drive Key in Asset"
}
}
}
#Now that we're done, let's write the information to the ticket notes.
Create-Syncro-Ticket-Comment -TicketIdOrNumber $TicketID -Subject "Update" -Body "$OperationSummary" -Hidden "true" -DoNotEmail "true"
Create-Syncro-Ticket-TimerEntry -TicketIdOrNumber $TicketID -StartTime $startAt -DurationMinutes $TicketTime -Notes "Finished scanning system for Bitlocker volumes." -UserIdOrEmail $TicketUser -ChargeTime $BillRMMTicket
$AssetNote = $OperationSummary + "`n" + $BitLocker_Info
Set-Asset-Field -Name "BitLocker_Info" -Value $AssetNote
if ($BLStatusChanged) {
Create-Syncro-Ticket-Comment -TicketIdOrNumber $TicketID -Subject "Update" -Body "Encryption status of System Drive has been disabled" -Hidden "true" -DoNotEmail "true"
Update-Syncro-Ticket -TicketIdOrNumber $TicketID -Status "RMM Issue"
exit 1
}
Update-Syncro-Ticket -TicketIdOrNumber $TicketID -Status "Resolved"```
If you’re worried about “leakage”, check the alert emails you get about the asset – they include the text of all the custom fields, including the BitLocker keys.