Bitlocker Recovery Key Tool

By Nicklas AhlbergIntune, Security

Have you ever been fumbling around, looking for the Bitlocker recovery key but don’t know exactly where to look? – add to that having a user on the phone, anxious to start working.. the struggle is real!
This tool will make it extremely easy to fetch the key regardless if the key is stored in AD or Azure AD – from a single tool.

Prerequisites

First things first.. we need to make sure that we have a couple of prerequisites in-place.

  • RSAT (if you have keys stored in AD):
    1. Install ADDS RSAT feature: Add-WindowsCapability -Online -Name ‘Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0’
    2. Install Bitlocker RSAT feature: Add-WindowsCapability -Online -Name ‘Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0’
  • PowerShell module(s):
    1. MSAL.PS Install-Module MSAL.PS
    2. Microsoft.Identity.Client Install-Module Microsoft.Identity.Client
    3. AZ.Accounts Install-Module AZ.Accounts

Let’s rock enroll!

Register the app

We will use an Azure registered app with delegated permissions to execute our MS Graph calls against. The next steps cover how to create the app and delegate the appropriate permissions.

  1. Navigate to: https://portal.azure.com
  2. Click: Azure Active Directory
  3. Click: App registrations
  4. Click: New registration
  5. Name: I will use ‘Demo-Graph‘ but you may name the app differently
  6. Supported account types: Accounts in this organizational directory only
  7. Redirect URI (Select a platform): Public client/native (mobile and desktop)
  8. Redirect URI (URL): https://login.microsoftonline.com/common/oauth2/nativeclient
  9. Click: Register
  10. Save the Application (client) ID in notepad, we will need it later
  11. Click: API Permissions
  12. Click: Microsoft Graph
  13. Click: Delegated permissions
  14. Search for and mark: BitlockerKey.Read.All
  15. Search for and mark: Device.Read.All
  16. Search for and mark: DeviceManagementConfiguration.Read.All
  17. Click: Add permissions
  18. Click: Grant admin consent for
  19. Click: Yes
  20. Make sure that the permissions have been granted accordingly
  21. Now navigate to https://aad.portal.azure.com/
  22. Click: Azure Active Directory
  23. Save the Tenant ID in notepad, we will need it later

Download the tool

  1. Download the tool from: NicklasAhlberg/Bitlocker-Recovery-Key-Tool (github.com)
  2. Make sure you download the latest version from the releases section
  3. Extract the zip-file and make sure that following three (3) files are in the same directory
  4. Open: config.txt and paste the clientID and tenantID from notepad
  5. Save: config.txt

Run the tool

Run the tool by executing: Bitlocker Recovery Key Tool.exe

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.