Script to Export BitLocker Recovery Keys for Managed Windows Devices to CSV
Export BitLocker Recovery Keys for Managed Windows Devices
Section titled “Export BitLocker Recovery Keys for Managed Windows Devices”This script connects to the Microsoft Graph API for a specified tenant, retrieves BitLocker recovery keys for all managed Windows devices, and exports them to a CSV file. It fetches details like key IDs, creation dates, and device IDs, and then joins this data with information from managed devices, such as device names, last sync dates, and encryption status. The resulting dataset is exported to a CSV file, making it easy to track and manage BitLocker recovery keys across the tenant’s devices.
Script Overview
Section titled “Script Overview”Ideal for: IT security administrators managing device encryption and recovery key compliance
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Comprehensive Key Export | Retrieves all BitLocker recovery keys | Complete recovery key inventory |
| Device Information Join | Combines key data with device details | Full context for key management |
| CSV Export | Structured data export for reporting | Easy integration with compliance tools |
| Encryption Status Tracking | Monitors device encryption state | Security compliance monitoring |
Function Implementation
Section titled “Function Implementation”<#.SYNOPSISExports BitLocker recovery keys for all managed Windows devices in the specified tenant to a CSV file.
.DESCRIPTIONThis function connects to Microsoft Graph **API** using the specified tenant ID and scopes, retrieves BitLocker recovery keys for all managed Windows devices in the tenant, and exports them to a CSV file.
.PARAMETER TenantIdThe ID of the tenant to connect to. Default value is "oncld.io".
.PARAMETER FilePathThe path of the CSV file to export the BitLocker recovery keys to. Default value is "$home\download\$TenantId-BitlockerKeys.csv".
.EXAMPLEExport-BitLockerRecoveryKeys -TenantId "contoso.onmicrosoft.com" -FilePath "C:\temp\BitLockerKeys.csv"This command exports BitLocker recovery keys for all managed Windows devices in the "contoso.onmicrosoft.com" tenant to a CSV file named "BitLockerKeys.csv" in the "C:\temp" directory.
.NOTESRequires the Microsoft.Graph.Authentication, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.DeviceManagement, and JoinModule modules.#>
function Export-BitLockerRecoveryKeys { param ( [string]$TenantId = "xxx.com", [string]$FilePath = "$home\Downloads\$TenantId-BitlockerKeys.csv" ) try{ # Connect to Microsoft Graph **API**
Connect-MgGraph -TenantId $TenantId -Scopes "BitLockerKey.Read.All", "BitLockerKey.ReadBasic.All","DeviceManagementManagedDevices.Read.All", "DeviceManagementManagedDevices.ReadWrite.All"
# Retrieve BitLocker recovery keys and managed devices
$BitLockerRecoveryKeys = Get-MgInformationProtectionBitlockerRecoveryKey -All -Property "id","createdDateTime","DeviceId" | Select-Object @{N="KeyId";E={$_.id}},"createdDateTime",@{N="AzureAdDeviceId";E={$_.DeviceId}},Key
$BitLockerRecoveryKeys | ForEach-Object { $_.Key = Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.KeyId -Property "Key" | Select-Object -ExpandProperty Key } $ManagedDevices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" -Property "DeviceName","Id","AzureAdDeviceId","LastSyncDateTime","IsEncrypted" | Select-Object "DeviceName","Id","AzureAdDeviceId","LastSyncDateTime","IsEncrypted"
# Join the BitLocker recovery keys and managed devices on AzureAdDeviceId
$Keys = Join-Object -LeftObject $BitLockerRecoveryKeys -RightObject $ManagedDevices -JoinType Left -On AzureAdDeviceId
# Export the BitLocker recovery keys to a CSV file
$Keys | Export-Csv -Path $FilePath -NoTypeInformation }
Catch { Write-Error $_.Exception.Message }}Configuration Requirements
Section titled “Configuration Requirements”Prerequisites
Section titled “Prerequisites”| Component | Requirement | Purpose |
|---|---|---|
| Microsoft Graph Modules | Microsoft.Graph.Authentication, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.DeviceManagement, JoinModule | API connectivity and data processing |
| BitLocker Permissions | BitLockerKey.Read.All, BitLockerKey.ReadBasic.All | Access recovery key data |
| Device Management Permissions | DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All | Access device information |
| Admin Rights | Intune Administrator or Global Administrator | Sufficient permissions for device data |
Function Parameters
Section titled “Function Parameters”| Parameter | Default | Description |
|---|---|---|
| TenantId | "xxx.com" | Target tenant for key export |
| FilePath | "$home\Downloads\$TenantId-BitlockerKeys.csv" | Output CSV file location |
Data Collection Process
Section titled “Data Collection Process”Key Retrieval Steps
Section titled “Key Retrieval Steps”-
Connect to Microsoft Graph API
- Establish authenticated connection
- Verify required permissions
-
Retrieve BitLocker Recovery Keys
- Get all recovery keys with metadata
- Extract key IDs, creation dates, device associations
-
Fetch Managed Device Information
- Query Windows devices only
- Include device name, sync status, encryption state
-
Data Join and Processing
- Join keys with device information
- Create comprehensive dataset
-
Export to CSV
- Generate structured CSV output
- Include all relevant metadata
Output Data Structure
Section titled “Output Data Structure”| Column | Description | Business Value |
|---|---|---|
| KeyId | Unique recovery key identifier | Key tracking and reference |
| createdDateTime | Key creation timestamp | Age and rotation analysis |
| AzureAdDeviceId | Associated device identifier | Device-key relationship |
| Key | Actual recovery key value | Emergency recovery access |
| DeviceName | Human-readable device name | User-friendly identification |
| LastSyncDateTime | Last device sync timestamp | Data freshness indicator |
| IsEncrypted | Device encryption status | Compliance monitoring |
Usage Examples
Section titled “Usage Examples”1. Basic Export
Section titled “1. Basic Export”Export-BitLockerRecoveryKeys -TenantId "contoso.onmicrosoft.com"2. Custom File Path
Section titled “2. Custom File Path”Export-BitLockerRecoveryKeys -TenantId "contoso.onmicrosoft.com" -FilePath "C:\Reports\BitLockerKeys.csv"Compliance and Security
Section titled “Compliance and Security”Use Cases
Section titled “Use Cases”| Scenario | Purpose | Benefit |
|---|---|---|
| Compliance Reporting | Document recovery key inventory | Audit readiness |
| Emergency Recovery | Access keys for device recovery | Business continuity |
| Security Auditing | Review encryption coverage | Risk assessment |
| Key Management | Track key age and rotation | Security hygiene |
Security Considerations
Section titled “Security Considerations”| Consideration | Risk | Mitigation |
|---|---|---|
| Key Exposure | Sensitive recovery data | Secure CSV storage and access |
| Data Privacy | Device and key information | Implement proper access controls |
| Retention Policy | Long-term key storage | Define appropriate retention periods |
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides comprehensive BitLocker recovery key management capabilities, enabling organizations to maintain proper security compliance, support emergency recovery scenarios, and ensure complete visibility into device encryption status across the enterprise.