PowerShell – Return BitLocker Data using MSGraph

Posted onAuthorMrNetTek

email me

This will return BitLocker data without having to enter a bearer token, or having to manually generate a bearer token before accessing MSGraph. You won’t find this anywhere else, because I wrote it. I do recommend having your Azure app registration done, and its appID ready to go. The appID info will go into the $clientId and $clientSecret strings. The end result of this is a BitLocker report in a delimited text file. Afterwards, I import the file into a Google sheet. This can be an automated report, if you wanted to embed credentials, and use Task Scheduler (not really recommended though). If you want to automate it, either use SecureString or compile the script.

see Overview of Microsoft Graph

see Register an application with the Microsoft identity platform

 

Code

# MrNetTek 
# eddiejackson.net 
# 12/19/2023 
# free for public use 
# free to claim as your own

$Devices = ""
$accessToken = ""
$tokenResponse = ""
$passwordPlainText = ""

# Application and Credentials
# These are only sample values
$tenantID = "e389c29b-e96c-3ac4-ce16-ea3204275147"
$clientId = "18bf354a-bd67-4810-a315-925c5b2953ca" 
$clientSecret = "d.y4R~u2-5JEPMeaZ_Ciiyr2eilP1Mz.YYag2ccm"
$scope = "https://graph.microsoft.com/.default"
$username = "MrNetTek@mydomain.com"
$securePassword = Get-Credential -Message "Enter your password" -UserName $username

# Delete previous file
$filePath = "C:\temp\output.txt"

if (Test-Path $filePath) {
    Remove-Item $filePath    
}

# Extract the secure password
$passwordPlainText = $securePassword.GetNetworkCredential().Password

# Define the URL to request the token
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

# Define the request body for obtaining the token
$Body = @{
    Grant_Type    = "password"
    Scope         = $scope
    client_Id     = $clientId
    Client_Secret = $clientSecret
    Username      = $username
    Password      = $passwordPlainText
}

# Make a request to obtain an access token
$tokenResponse = Invoke-RestMethod -Uri $tokenUrl -Method POST -Body $Body

# Extract the access token
$accessToken = $tokenResponse.access_token


# Define the headers with the access token
$headers = @{
    'Authorization' = "Bearer $accessToken"
    'Content-Type' = 'application/json'
}

Connect-AzureAD
Connect-MgGraph -Scopes User.ReadBasic.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
Get-MgContext


$profileUrl = 'https://graph.microsoft.com/v1.0/me'
$userProfile = Invoke-RestMethod -Headers $headers -Uri $profileUrl -Method Get
$userProfile

# load users from Azure
Write-host "Fetching users from Azure AD...`n"
$AzureADUsers = Get-AzureADUser -all $true | Where-Object { $_.AccountEnabled -eq $true }

# Scan through user list
Write-host "Scanning through user list...`n"
foreach ($AzureADUser in $AzureADUsers) {    

    $devices = Get-MgUserRegisteredDevice -UserId "$($AzureADUser.UserPrincipalName)" -ErrorAction SilentlyContinue

    if ($devices.Count -gt 0) {
      
        # Extract and display only the deviceIds
        foreach ($device in $devices) {
            $deviceId = $device.AdditionalProperties["deviceId"]
            $intuneApiUrl = "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"
            $filter = "?`$filter=deviceId eq '$deviceId'&`$select=key"
            $filteredIntuneApiUrl = "$intuneApiUrl$filter"

            # Make the GET request to retrieve BitLocker recovery key information for the specific device
            $response = Invoke-RestMethod -Uri $filteredIntuneApiUrl -Headers $headers -Method Get

            # BitLocker recovery key information is in the $response
            $recoveryKeyInfoIds = $response.value

            # Display the retrieved information
            $bitlockerIds = $recoveryKeyInfoIds.id -split "`n"

            # Loop through the array and display each part of the ID on a new line
            $counter = 1        
            $device = Get-MgDevice -Filter "deviceId eq '$deviceId'"
                
            foreach ($bitId in $bitlockerIds) {   
                
                if ($bitId) {
                    $filterID = "`$bitId?`$select=key"
                    $keyUrl = "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$($bitId)?`$select=key"    
                    $keyResponse = Invoke-RestMethod -Uri $keyUrl -Headers $headers -Method Get            
                    $output  = "$($AzureADUser.DisplayName),$($AzureADUser.UserPrincipalName),$($device.DisplayName),$bitId,$($keyResponse.key)"
                    Write-host "$output"
                    $output | Out-File C:\temp\output.txt -Append
                    
                }

                $keyUrl = ""
                $bitId = ""
                $keyResponse = ""            
                $counter++
                Write-host "`n"
            }     
    
            $device = ""
            
        }

        $AzureADUser.DisplayName = ""
        $AzureADUser.UserPrincipalName = ""
        
        
    }
}

$Devices = ""
$accessToken = ""
$tokenResponse = ""
$passwordPlainText = ""
Disconnect-AzureAD
Disconnect-MgGraph