Skip to main content

SYNOPSIS

Invokes the backup of BitLocker recovery keys to Intune for all Intune managed devices.

SYNTAX

Get-BitlockerKeyInfo [-IncludeDeviceInfo] [-IncludeDeviceOwner] [-ExportToExcel] [-RevealKeys]
 [[-BackupToKeyVault] <String>] [[-DeviceName] <String>] [[-DeviceID] <String>]
 [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This script connects to Microsoft Intune and retrieves BitLocker recovery keys from all devices managed by Intune. It requires the Microsoft Graph PowerShell SDK to be installed and appropriate permissions to access device management and BitLocker key data.

EXAMPLES

EXAMPLE 1

Get-BitlockerKeyInfo -IncludeDeviceInfo -IncludeDeviceOwner
This command retrieves BitLocker recovery keys for all Intune managed devices with device and owner information.

EXAMPLE 2

Get-BitlockerKeyInfo -IncludeDeviceInfo -ExportToExcel
This command retrieves BitLocker keys with device information and exports to Excel.

EXAMPLE 3

Get-BitlockerKeyInfo -IncludeDeviceInfo -IncludeDeviceOwner -RevealKeys -ExportToExcel
This command generates a comprehensive report with BitLocker keys visible in plain text and exports to Excel. WARNING: Use with extreme caution as this exposes sensitive recovery keys!

EXAMPLE 4

Get-BitlockerKeyInfo -IncludeDeviceInfo -BackupToKeyVault "MyBitLockerVault" -ExportToExcel
This command retrieves BitLocker keys, backs them up to the specified Azure Key Vault, and exports to Excel.

EXAMPLE 5

Get-BitlockerKeyInfo -DeviceName "LAPTOP-ABC123" -IncludeDeviceInfo -RevealKeys
This command retrieves BitLocker keys for a specific device by name, includes device information, and displays keys in plain text.

EXAMPLE 6

Get-BitlockerKeyInfo -DeviceID "12345678-1234-1234-1234-123456789abc" -ExportToExcel
This command retrieves BitLocker keys for a specific device by ID and exports the results to Excel.

PARAMETERS

-IncludeDeviceInfo

Switch to include device information such as device name, OS, compliance status, etc. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-IncludeDeviceOwner

Switch to include device owner information (UPN). Requires IncludeDeviceInfo parameter. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ExportToExcel

Switch to export the results to an Excel file in the user profile directory. If not specified, the function returns the data objects. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-RevealKeys

Switch to display BitLocker recovery keys in plain text format in the CSV export. WARNING: This will expose sensitive BitLocker recovery keys in the output file! Use only when necessary and ensure secure storage of the exported file. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-BackupToKeyVault

Specify the name of Azure Key Vault to backup BitLocker recovery keys. Requires Azure PowerShell module and appropriate permissions to access Key Vault. Keys will be stored with device name and BitLocker key ID as the secret name. Example: -BackupToKeyVault “MyBitLockerVault” 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DeviceName

Filter results to a specific device by its display name. Cannot be used together with DeviceID parameter. Example: -DeviceName “LAPTOP-ABC123” 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DeviceID

Filter results to a specific device by its device ID (GUID). Cannot be used together with DeviceName parameter. Example: -DeviceID “12345678-1234-1234-1234-123456789abc” 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

Author: Bastien Perez (adapted from Vasil Michev) Source: https://github.com/michevnew/PowerShell/blob/master/GraphSDK_Bitlocker_report.ps1 The script requires the following Microsoft Graph permissions:
  • BitLockerKey.Read.All (required) - Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key.
  • Device.Read.All (optional) - Needed to retrieve device details like name, OS, compliance status
  • User.ReadBasic.All (optional) - Needed to retrieve device owner UPN information
PERMISSION SCOPE CONSIDERATIONS:
  • User context: Can only read BitLocker keys for devices owned by the signed-in user (if you have admin permissions, you can read all devices and all bitlocker keys)
  • Application context: Can read BitLocker keys for all devices in the organization (requires admin consent)
  • Managed Identity: Same as application context when properly configured with admin consent
SECURITY WARNING: The exported CSV file contains sensitive BitLocker recovery keys. Store it in a secure location and limit access appropriately! https://ps365.clidsys.com/docs/commands/Get-BitlockerKeyInfo