PowerShell one-liner: Find BitLocker key

As you probably know PowerShell is a powerful tool and getting BitLocker key is one of its capabilities. In this article you will find out how to use one-liner script based on ActiveDirectory module to gather BitLocker key information.

The easiest way is to use Get-BitLockerVolume command but we need to have BitLocker module installed:

BitLocker
BitLocker
Get-Command * -Module BitLocker
Get-BitLockerVolume
(Get-BitLockerVolume -MountPoint C).KeyProtector

Get-ADObject is one of the AD module commands which helps to gets an Active Directory object or performs a search to retrieve multiple objects.

To get BitLocker key using ActiveDirectory module we need to search for objectclass “msFVE-RecoveryInformation”:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {Name -like “ms-FVE-*”}

Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase (Get-ADComputer $env:COMPUTERNAME).DistinguishedName -Properties *

#or

Get-AdObject -Filter "objectclass -eq 'msFVE-RecoveryInformation'" -Properties DistinguishedName, msFVE-RecoveryPassword, WhenCreated |
Select-Object -Property @{n="ComputerName";e={$_.DistinguishedName.Split(',',2)[1]}}, msFVE-RecoveryPassword

Another way is to check class Win32_EncryptableVolume using Get-WmiObject command:

$Bitlocker = Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume"
$BitLocker.GetKeyProtectors
$BitLocker.GetKeyProtectors().volumekeyprotectorID

There are several types that we could check:

0 = Alltypes
1 = TPM
2 = ExternalKey
3 = NumericPassword
4 = TPMAndPin
5 = TPMAndStartUpdKey
6 = TPMAndPinAndStartUpKey
7 = PublicKey
8 = PassPhrase
9 = TpmCertificate
10 = SID

To get bitlocker key we have to put 3 into () which stands for NumericPassword:

$BitLocker.GetKeyProtectors(3).volumekeyprotectorID

To put this all together in one liner script we can do this:

(Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftVolumeEncryption" -Class "Win32_EncryptableVolume").GetKeyProtectors(3).volumekeyprotectorID

I hope that this was informative for you 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.