Company logoHelp Center
Visit oncld.io

Script to Export BitLocker Recovery Keys for Managed Windows Devices to CSV

2 min. readlast update: 09.26.2024

This script connects to the Microsoft Graph API for a specified tenant, retrieves BitLocker recovery keys for all managed Windows devices, and exports them to a CSV file. It fetches details like key IDs, creation dates, and device IDs, and then joins this data with information from managed devices, such as device names, last sync dates, and encryption status. The resulting dataset is exported to a CSV file, making it easy to track and manage BitLocker recovery keys across the tenant's devices.

Here is the script:

<#
.SYNOPSIS
Exports BitLocker recovery keys for all managed Windows devices in the specified tenant to a CSV file.

.DESCRIPTION
This function connects to Microsoft Graph API using the specified tenant ID and scopes, retrieves BitLocker recovery keys for all managed Windows devices in the tenant, and exports them to a CSV file.

.PARAMETER TenantId
The ID of the tenant to connect to. Default value is "oncld.io".

.PARAMETER FilePath
The path of the CSV file to export the BitLocker recovery keys to. Default value is "$home\download\$TenantId-BitlockerKeys.csv".

.EXAMPLE
Export-BitLockerRecoveryKeys -TenantId "contoso.onmicrosoft.com" -FilePath "C:\temp\BitLockerKeys.csv"
This command exports BitLocker recovery keys for all managed Windows devices in the "contoso.onmicrosoft.com" tenant to a CSV file named "BitLockerKeys.csv" in the "C:\temp" directory.

.NOTES
Requires the Microsoft.Graph.Authentication, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.DeviceManagement, and JoinModule modules.
#>
function Export-BitLockerRecoveryKeys {
    param (
        [string]$TenantId = "xxx.com",
        [string]$FilePath = "$home\Downloads\$TenantId-BitlockerKeys.csv"
    )
    try{
        # Connect to Microsoft Graph API
        Connect-MgGraph -TenantId $TenantId -Scopes "BitLockerKey.Read.All", "BitLockerKey.ReadBasic.All","DeviceManagementManagedDevices.Read.All", "DeviceManagementManagedDevices.ReadWrite.All"

        # Retrieve BitLocker recovery keys and managed devices
        $BitLockerRecoveryKeys = Get-MgInformationProtectionBitlockerRecoveryKey -All -Property "id","createdDateTime","DeviceId" | Select-Object @{N="KeyId";E={$_.id}},"createdDateTime",@{N="AzureAdDeviceId";E={$_.DeviceId}},Key
        
        $BitLockerRecoveryKeys | ForEach-Object {
            $_.Key =  Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.KeyId -Property "Key" | Select-Object -ExpandProperty Key
        }
        $ManagedDevices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" -Property "DeviceName","Id","AzureAdDeviceId","LastSyncDateTime","IsEncrypted" | 
                            Select-Object "DeviceName","Id","AzureAdDeviceId","LastSyncDateTime","IsEncrypted"
    
        # Join the BitLocker recovery keys and managed devices on AzureAdDeviceId
        $Keys = Join-Object -LeftObject $BitLockerRecoveryKeys -RightObject $ManagedDevices -JoinType Left -On AzureAdDeviceId
        
        # Export the BitLocker recovery keys to a CSV file
        $Keys | Export-Csv -Path $FilePath 
    }

    Catch {
        Write-Error $_.Exception.Message
    }
}

Was this article helpful?