Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, June 9, 2014 3:15 PM
Hi all! I have an odd issue regarding the use of the Get-ADObject Powershell cmdlet to retrieve Bitlocker recovery passwords in AD. I recently wrote a function that outputs some Bitlocker information for computer objects in AD and this includes the recovery password. I wrote and tested this function on Windows 7 SP1 with RSAT and Powershell 4.0. The following command outputs the required properties:
Get-ADObject -SearchBase $Computer.distinguishedname -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -Properties msfve-recoverypassword
DistinguishedName : CN=2014-04-21T15:42:33-05:00{DE0F4423-2854-49F7-A67E-D020AE4285BC},CN=Computer,OU=Laptops,DC=domain,DC=com
msfve-recoverypassword : 347325-398764-214148-283921-222904-575740-157267-411976
Name : 2014-04-21T15:42:33-05:00{DE0F4423-2854-49F7-A67E-D020AE4285BC}
ObjectClass : msFVE-RecoveryInformation
ObjectGUID : 23b04f9a-4afb-437b-a143-17f0ae7bc5d6
PropertyNames : {DistinguishedName, msfve-recoverypassword, Name, ObjectClass...}
PropertyCount : 5
However, when I use the same command on Windows 8.1 I do not get the msfve-RecoveryPassword in the output:
Get-ADObject -SearchBase $Computer.distinguishedname -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -Properties msfve-recoverypassword
DistinguishedName : CN=2014-04-21T15:42:33-05:00{DE0F4423-2854-49F7-A67E-D020AE4285BC},CN=Computer,OU=laptops,DC=domain,DC=com
Name : 2014-04-21T15:42:33-05:00{DE0F4423-2854-49F7-A67E-D020AE4285BC}
ObjectClass : msFVE-RecoveryInformation
ObjectGUID : 23b04f9a-4afb-437b-a143-17f0ae7bc5d6
PropertyNames : {DistinguishedName, Name, ObjectClass, ObjectGUID}
AddedProperties : {}
RemovedProperties : {}
ModifiedProperties : {}
PropertyCount : 4
Does anyone know why this doesn't work in Windows 8.1? Please also note that Windows 8.1 has UAC enabled and the Windows 7 machine I tested on did not. However, in Windows 8.1 the console is launched as administrator. Could UAC play a part in this? Thanks!
All replies (9)
Monday, June 9, 2014 3:40 PM
Might to the same policy apply to the Windows 8.1 machine so it may not save the recovery key to AD, Can you confirm with ADUC that a recovery key really exists in AD for this machine?
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog
Monday, June 9, 2014 6:18 PM
Sorry I should have clarified those points - Yes I have verified that the recovery password does exist in both ADUC and via dsquery. I have considered re-writing my script to use dsquery since it seems to be more consistent across OSes, but the Powershell objects are just so much easier to consume, especially when there is more than one recovery object for each computer.
You can see in the output above that running the Get-ADObject command on a Windows 7 computer returns the recovery password but running the same command in Windows 8.1 does not. I am unable to determine the difference other than UAC. Of course, this is a different version of RSAT as well.
Tuesday, June 10, 2014 11:30 AM
Ok, I feel kinda dumb now! This appears to be an odd permissions thing. My standard account does not have permission to view these recovery passwords so I use the -Credential parameter with Get-ADObject and an administrative account. For some reason this was not working yesterday. I closed Powershell and opened a new session and it began working again.
UAC doesn't appear to be involved since I can retrieve these from a normal console or an elevated one.
Odd, but fine. Thanks for the help!
Thursday, June 12, 2014 6:16 PM
Ok, I hate to bump this, but the issue has returned! It really seems to be a problem with Get-ADObject since I can retrieve the Recovery Password with ADUC but cannot retrieve it with Powershell. It simply doesn't return the property at all. I tried switching back to Windows 7 from Windows 8.1 and this time got the same behavior.
What can possibly cause this inconsistency? Thanks!
Monday, June 16, 2014 10:27 AM
Hi Matt,
How about running get-member to get all properties, and check if the property "msfve-RecoveryPassword " exists:
$test=Get-ADObject -SearchBase $Computer.distinguishedname -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -Properties msfve-recoverypassword
$test|gm
In addition, you can also try this cmdlet to get Get BitLocker Recovery Key from the computer you want to query:
(Get-BitLockerVolume -MountPoint C).KeyProtector
If you have any feedback on our support, please click here.
Best Regards,
Anna
TechNet Community Support
Monday, June 16, 2014 12:14 PM
Anna,
When this command works it does return the msfve-recoverypassword property, but when it fails to work it does not include it. It's very odd, it works 80% of the time but at some point nearly every day I cannot get the command to return this property, even with domain admin credentials.
I am unable to tell whether this is a problem with the Get-ADObject cmdlet or with permissions/UAC. When the problem is occurring I have no trouble getting the recovery password from ADUC.
Also, the Get-BitlockerVolume cmdlet is for the local computer, I really need to be able to retrieve this information from Active Directory rather than on the client machine itself. This is for reporting and for recovery events when our technicians need to unlock a drive.
Thanks!
Monday, June 16, 2014 4:07 PM
It just happened again. It seems that the issue may be kicked off when a new computer is imaged and joined to Active Directory and a BDE recovery object is backed up to AD. When this happens, I lose the ability to return recovery passwords from Powershell. I can still recover them from ADUC during this time. After about 30 minutes the capability returns in Windows Powershell.
This seems like really odd behavior. Is there some sort of indexing procedure for the msfve-recoveryinformation objects that prevents this access?
Thanks!
Friday, March 16, 2018 2:16 PM
This is an old thread but maybe you are not accessing the same domain controller using both ways. AD sync can cause discrepancies that disappear after a while..
Friday, March 16, 2018 6:58 PM
Yeah, this is an old thread that I had completely forgotten about! I was never able to find a solution to this problem. The issue did not seem to be replication. If it were I would expect to get out of date information during replication lag. In this case, whenever there were changes to *any* recovery password object, then I was not able to view *any* recovery password, not just the one that was changed.
Also, the same recovery password that I can't get in PowerShell with Get-ADObject is available in ADUC, even when working against the same domain controller.