Kaseya Community

Error in procedure to get Bitlocker key

This question has suggested answer(s)

Hello

We have a script that gets the BitLocker status, volumes and key. It posts the results on the Agent system info.

The script ran fine for some users for the reset i am getting errors:

FAILED in processing THEN step 2, Get File, with error File Open Failed, Getting status of c:\kworking\bitlocker.key (Line 4) 
Failed THEN in step 2 (Line 4) 
FAILED in THEN step 2, execute script Bitlocker status-0001(ID = 114247433) (Line 2) 

The script we have was created by the folks at ClubMSP (Thank you for that by the way - recommended for any Kaseya power user) -

Any Ideas what the error may be?

All Replies
  • Check if the bitlocker.key file exists, and what its contents are.  You may need to modify your script if it deletes the file after it runs

  • I used this same script and I had to add a If testFile to see if the file exists.  It is erroring on the machines that do not have bitlocker and so no file exists when the powershell is ran on those machines.

  • It looks like the issue only happens on Windows 7. any ideas? we updated Powershell to the latest version on a test machine but the command get-bitlocker cannot be loaded.

    is Get-Bitlocker specific to windows 8+

  • The MSDN page lists cmdlets for Win8/2012 and up:

    technet.microsoft.com/.../jj649829(v=wps.620).aspx

    Pretty safe to assume that there aren't Win7 cmdlets.

    This article kind of restates that, although it does say 8.1, but also has some info on not using the cmdlets: blogs.technet.microsoft.com/.../powershell-and-bitlocker-part-1

  • Procedure Audit Encryption Status.xml

    I attached the little procedure I use. I can't remember where I got it from, I think from the automation site. At any rate it has the shell command.

  • Yes, it is. You have to use manage-bde.exe (technet.microsoft.com/.../ff829849(v=ws.11).aspx) to manage Bitlocker on Win7/2008R2 machines. Searching MSDN  for any given cmdlet is usually a good way to find the history of that cmdlet. I use the "other versions" link to review the changes over time. technet.microsoft.com/.../jj649837(v=wps.620).aspx

  • Thanks. the script for manage-bde supplied by mikerm only tells if the machine is encrypted or not. Any way to parse the key as well in a custom field?

  • , we did update this script after it was published, did you download the latest one?  If you are still having problems, please let us know and we can help troubleshoot it.

    PS. Thanks for the shout out for ClubMSP!  Much appreciated!

  • Thanks Chris - will give it a shot. but i think the issue is Windows 7 - even after updating PowerShell, the command get-bitlocker is not recognized.

    It works fine on Windows 8 and Windows 10.

  • I just found this out myself.  You have to install Remote Server Administration Tools(RSAT), in order for the bitlocker applets to be installed for Windows 7.  See KB958830.

  • Thats not gonna work for 50+ laptops. :)

  • The KB can be silently installed.  Here is the technet for it.

    technet.microsoft.com/.../ee449483(v=ws.10).aspx

  • I just worked out an easy way to get the key by itself, it might work for you without installing anything, but this was only tested on Windows 10 so YMMV.

    In an executepowershellcommand64bitsystem I have the following:

    try { $Key = (Get-BitLockerVolume).KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } ; $Key.RecoveryPassword } catch {}

    They key should be returned in #global:psresult# as long as you enable the return too.

    People who are better at PowerShell than I am can probably optimize that command.

  • Even after installing www.microsoft.com/.../details.aspx

    we cant get it to work.