How To Export Bitlocker Key From Active Directory
Pei Tebow
Cybercriminals may attempt to breach the security of your organization by registering unauthorized devices, using Primary Refresh Tokens on trusted devices, or stealing Primary Refresh Tokens from trusted user devices.
The Azure portal provides centralized management for devices, allowing admins to perform essential Azure AD device management tasks. These include configuring device join types, registering and updating devices, also reviewing audit logs for device registration activities. Furthermore, admins can easily enable or disable device access, delete devices, and manage device settings through the portal. Navigate to the path below to get all Azure AD devices in your organization.
Here you will find the details of the devices, such as name, operating system, version, Join Type, etc. But generating customized device reports is a crucial task for administrators in the Azure portal.
The Azure AD devices report shows the complete list of devices with their attributes in the organization. Therefore, admins can efficiently use this report to monitor and analyze the critical events of device registration, deletion, etc., around the workspace. Download the script now and unleash the benefits you can avail with a click!
The script supports some built-in filtering parameters according to your needs, and its use cases are listed below. Before getting started, make sure to connect to the Microsoft Graph PowerShell module.
NOTE: If you are using certificate-based authentication, then the script generates output only when the directory permissions such as Directory.Read.All is enabled in your organizational setup otherwise you will be facing an error message while executing the script saying that,
This information can provide insights into the volume of managed devices, which can help identify any unmanaged devices that may need attention. By using the -ManagedDevice parameter, organizations can ensure that all their devices are properly managed and secure, helping to protect against potential security threats and unauthorized access.
BitLocker is a Microsoft encryption product that is used to conceal and protect sensitive user data on a computer. In which BitLocker keys were significantly required to recover the encrypted drives of your work environment. With the -DeviceWithBitLockerKey parameter, you can track the devices with BitLocker keys in your tenant. This helps to transparently monitor and secure BitLocker-encrypted devices within your organization. This will eventually retrieve only the devices with bit locker key and export them into a CSV file.
Enabled devices in Azure AD refer to devices that have been registered and authorized by organizations, which allows them to authenticate and access resources such as applications and data. Moreover, it permits access to the resources protected with conditional-based access.
Overall, AdminDroid is the best solution for your Office management! It is a Microsoft 365 reporting tool that is easy to set up, user-friendly, and designed with advanced features of alerting, scheduling, and merging multiple reports. With these advanced reporting capabilities, AdminDroid facilitates you with 1800+ granular reports and 30+ dashboards on every service like Azure AD, Exchange Online, Microsoft Teams, SharePoint, OneDrive, and Yammer. Plus, it makes your administration easy with AI-powered graphical analysis.
Besides saving time, the output file is exported as a CSV file, so you can easily analyze and configure things easily with well-classified information. Enhance your security posture of your organization through continuous monitoring of devices and applications activity in Azure AD. We hope this blog has been helpful and eased your burden in obtaining the details of Azure devices. For any questions, reach us through the comments section.
Recovery keys are used to recover your endpoint data in case of hardware malfunction and also as an alternate means of login when the traditional authorization fails. Apart from being a workaround, BitLocker recovery key could be perceived as a gateway to access the drives, when the said drive become inaccessible.
Active Directory Users And Computers console enables admins to manage their active directory objects. It can be used as a Remote Server Administration tool (RSAT) to find the recovery key directly from a Windows machine.
This can be configured here: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Store BitLocker recovery information in Acive Directory Domain Services.
Is there any way to back up the recovery keys using a csv file with the computer names and the recovery Id for each? MS is ending MBAM support so we are trying to see if it is possible to import the keys from a list instead of running a command on each machine (scripted or not)
The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. (Exception from HRESULT: 0x8031000A)
In the powershellscript after the encryption process the key is stored in our active directory. However, the gpo for external usb devices to store the key in the active direcotry was not yet active only for systemdrive and fixed data drives. Now the external hard drive is encrypted and the key was in the powershellsession which was of course closed via software distribution or was not visible.
My end goal was to create an Active Directory overview report using PowerShell. I looked into PSWinDocumentation but ultimately I wanted the report be interactive. I was looking for basic Active Directory items like Groups, Users, Group Types, Group Policy, etc, but I also wanted items like expiring accounts, users whose passwords will be expiring soon, newly modified AD Objects, and so on. Then I could get this report automatically e-mailed to me daily (or weekly) and I can see what has changed in my environment, and which users I need to make sure change their password soon.
As shown earlier, the Groups report displays all of my Groups, membership for Domain and Enterprise admins and more. The bottom pie charts are dynamic and can be interacted with within the report itself.
The Users report is very detailed, providing an in-depth look at your users and their account health. Right away you can view the total amount of users, users with passwords expiring soon, any expiring accounts, and users that have not logged on recently. The amount of days for each item (password expiring in less than X days) can be easily changed in the beginning of the script.
The Active Directory Users table shows you all of your users and some of the most important user attributes. The next 4 tables will then display expiring password users, expiring accounts, inactive users, and newly created user accounts.
The Computers report gives you a similar overview as the Users report. Here you can see the amount of computer objects in your environment, as well as the break down for computers operating systems. In my example environment I have a lot of Windows 10 clients and more Server 2012 servers than 2016.
The 2 pie graphs below display the protection status from accidental deletion and enabled computers vs disabled. The last graph will give you a breakdown on the operating systems found in your environment. Here you can visually see how many Windows 10 devices compared to other operating systems are in my environment.
You can copy or download the script, and run it on any computer/server with RSAT or Active Directory right out of the box! But, I will explain the 1 module it uses as well as variables you can set if you want to change it to best fit your needs.
The script requires the ReportHTML module to be installed. It will attempt to install the module if it does not detect it by running install-module. You can also install it manually by running Install-Module ReportHTML in an administrative PowerShell console.
Since the script heavily relies on Active Directory, you will need to run it on a device with RSAT (as it gives you the Active Directory module) or domain controller. You just need the Active Directory module to be present on the system that its ran on.
My name is Bradley Wyatt; I am a 4x Microsoft Most Valuable Professional in Cloud and Datacenter Management. I have given talks at many different conferences, user groups, and companies throughout the United States ranging from PowerShell to DevOps Security best practices and am the 2022 North American Outstanding Contribution to the Microsoft Community winner.
Outstanding job!! any chance we can get windows 2019 Versions and identify Windows 10 Pro/Enterprise and LTSC in the pie charts. it would also be helpful on the pie charts to put the number of devices rather than hover over them.
Excellent work Brad. I am currently using pscookie monster script to generate report for my citrix environment , it creates a simple webpage( -HTML-Notificatio-e1c5759d).
Your report now took this to next level .. Thanks again for spending time to share your knowledge ? Keep up the good work. Thanks.
Suresh Krishnan
Singapore
Also: Maybe use the LastLogonTimeStamp instead of lastlogon attribute? If you have more than one domain controller the lastlogon attribute will not be meaningful as it is not replicated between domain controllers.
I need a script to generate a report of last logged in (history of login users in system) of users from all systems exist in Active directory.no matter they are currently login on system or not. thank you in advance.
A flexible Active Directory reporting tool with over 190 built in reports as well as the option to create your own
With more flexability than other Active Directory reporting tools and a modern user friendly interface, AD Info lets you easily query your Active Directory domain for the information you need.Use one of the 190+ queries that come with the application or use the custom query designer to create your own query based on any attributes you choose.
NOTE: If you are looking for an Active Directory permissions reporting tool instead, see AD Permissions Reporter
AD Info is available in two editions, free edition and standard edition. The free edition is completely free for personal and commercial use and is not time limited. Click the Buy button below to see pricing details for the standard edition.The differences between the two versions can be seen further down this page.