From time to time you may have to enter a Bitlocker Recovery key after a BIOS update or change, especially with secure boot enabled.
For the odd machine this is fine, but what happens when you arrive in Monday morning to find a full IT Suite sat asking for the recovery keys?
In this guide I’ll show you how you can export Bitlocker Key ID and Recovery Keys in bulk from Intune in a handy CSV file.
Step : Install MS Graph Module
Install-Module Microsoft.Graph -Scope CurrentUserStep 2: Run the following script, changing PC-NAME-* to match your own naming convention(s) for example if your PC’s are named IT-PC-01, IT-PC-02 you would use “IT-PC-*”
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","BitLockerKey.Read.All"
$results = @()
$devices = Get-MgDeviceManagementManagedDevice -All | Where-Object {
$_.DeviceName -like "PC-NAME-*"
}
foreach ($device in $devices) {
Write-Host "Processing $($device.DeviceName)..."
$keys = Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$($device.AzureAdDeviceId)'"
foreach ($key in $keys) {
$fullKey = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$($key.Id)?`$select=key"
$results += [PSCustomObject]@{
DeviceName = $device.DeviceName
KeyId = $key.Id
RecoveryKey = $fullKey.key
}
}
}
$results | Sort-Object DeviceName | Export-Csv "BitLockerKeys.csv" -NoTypeInformationThe keys will be exported to CSV in the same directory you ran PowerShell from.
#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.