Skip to main content

SYNOPSIS

Invokes the backup of BitLocker recovery keys to Intune for all Intune managed devices.

SYNTAX

Default (Default)

Get-MgBitlockerKeyInfo [-IncludeDeviceInfo] [-IncludeDeviceOwner] [-ExportToExcel] [-ShowKeyInPlainText]
 [-RunFromAzureAutomation] [-DeviceName <String>] [-DeviceID <String>] [-ProgressAction <ActionPreference>]
 [<CommonParameters>]

KeyVault

Get-MgBitlockerKeyInfo [-IncludeDeviceInfo] [-IncludeDeviceOwner] [-ExportToExcel] [-ShowKeyInPlainText]
 [-RunFromAzureAutomation] [-BackupToKeyVault] -KeyVaultName <String> [-DeviceName <String>]
 [-DeviceID <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

This script connects to Microsoft Intune and retrieves BitLocker recovery keys from all devices managed by Intune. It requires the Microsoft Graph PowerShell SDK to be installed and appropriate permissions to access device management and BitLocker key data.

EXAMPLES

EXAMPLE 1

Get-MgBitlockerKeyInfo -IncludeDeviceInfo -IncludeDeviceOwner
This command retrieves BitLocker recovery keys for all Intune managed devices with device and owner information.

EXAMPLE 2

Get-MgBitlockerKeyInfo -IncludeDeviceInfo -ExportToExcel
This command retrieves BitLocker keys with device information and exports to Excel.

EXAMPLE 3

Get-MgBitlockerKeyInfo -IncludeDeviceInfo -IncludeDeviceOwner -ShowKeysInPlainText -ExportToExcel
This command generates a comprehensive report with BitLocker keys visible in plain text and exports to Excel. WARNING: Use with extreme caution as this exposes sensitive recovery keys!

EXAMPLE 4

Get-MgBitlockerKeyInfo -IncludeDeviceInfo -BackupToKeyVault -KeyVaultName "MyBitLockerVault" -ExportToExcel
This command retrieves BitLocker keys, backs them up to the specified Azure Key Vault, and exports to Excel.

EXAMPLE 5

Get-MgBitlockerKeyInfo -RunFromAzureAutomation -IncludeDeviceInfo -ExportToExcel
This command retrieves BitLocker keys using managed identity authentication and exports to Excel. Suitable for Azure Automation runbooks.

EXAMPLE 6

Get-MgBitlockerKeyInfo -DeviceName "LAPTOP-ABC123" -IncludeDeviceInfo -ShowKeysInPlainText
This command retrieves BitLocker keys for a specific device by name, includes device information, and displays keys in plain text.

EXAMPLE 7

Get-MgBitlockerKeyInfo -DeviceID "12345678-1234-1234-1234-123456789abc" -ExportToExcel
This command retrieves BitLocker keys for a specific device by ID and exports the results to Excel.

PARAMETERS

-IncludeDeviceInfo

Switch to include device information such as device name, OS, compliance status, etc. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-IncludeDeviceOwner

Switch to include device owner information (UPN). Requires IncludeDeviceInfo parameter. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ExportToExcel

Switch to export the results to an Excel file in the user profile directory. If not specified, the function returns the data objects. 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ShowKeyInPlainText

Switch to display BitLocker recovery keys in plain text format in the output. WARNING: This will expose sensitive BitLocker recovery keys! Only use when absolutely necessary and ensure secure handling of the output. Without this parameter, keys will be hidden for security (displayed as ‘[HIDDEN]’). 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-RunFromAzureAutomation

(Optional) If specified, uses managed identity authentication instead of interactive authentication. This is useful when running the script in Azure environments like Azure Functions, Logic Apps, or VMs with managed identity enabled. PowerShell modules used in Azure Automation must be a MAXIMUM of version 2.25.0 when using PowerShell < 7.4.0, because starting from version 2.26.0, PowerShell 7.4.0 is required, and Azure Automation does not support it yet as of February 2026. For PowerShell 7.4.0+, there are no version restrictions. https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3147 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3151 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3166 
Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-BackupToKeyVault

Switch to enable backup of BitLocker recovery keys to Azure Key Vault. Must be used together with -KeyVaultName. 
Type: SwitchParameter
Parameter Sets: KeyVault
Aliases:

Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-KeyVaultName

Specify the name of Azure Key Vault to backup BitLocker recovery keys. Mandatory when -BackupToKeyVault is specified. Requires Azure PowerShell module and appropriate permissions to access Key Vault. Keys will be stored with device name and BitLocker key ID as the secret name. 
Type: String
Parameter Sets: KeyVault
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DeviceName

Filter results to a specific device by its display name. Cannot be used together with DeviceID parameter. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DeviceID

Filter results to a specific device by its device ID (GUID). Cannot be used together with DeviceName parameter. 
Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

Author: Bastien Perez (adapted from Vasil Michev) Source: https://github.com/michevnew/PowerShell/blob/master/GraphSDK_Bitlocker_report.ps1 The script requires the following Microsoft Graph permissions:
  • BitLockerKey.Read.All (required) - Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key.
  • Device.Read.All (optional) - Needed to retrieve device details like name, OS, compliance status
  • User.ReadBasic.All (optional) - Needed to retrieve device owner UPN information
PERMISSION SCOPE CONSIDERATIONS:
  • User context: Can only read BitLocker keys for devices owned by the signed-in user (if you have admin permissions, you can read all devices and all bitlocker keys)
  • Application context: Can read BitLocker keys for all devices in the organization (requires admin consent)
  • Managed Identity: Same as application context when properly configured with admin consent
SECURITY WARNING: The exported CSV file contains sensitive BitLocker recovery keys. Store it in a secure location and limit access appropriately! https://ps365.clidsys.com/docs/commands/Get-MgBitlockerKeyInfo