Not able to retrieve bitlocker key

This topic contains 4 replies, has 3 voices, and was last updated by  David Flores 2 months, 1 week ago.

  • Author
    Posts
  • #73201

    Ben
    Participant

    Hi Everyone

    I am having some issues trying to retrieve bitlocker information from the DC.

    $computer = get-adcomputer computername

    Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties "msFVE-RecoveryPassword" | select msFVE-RecoveryPassword

    I have used this code twice to successfully retrieve the bitlocker key, the result of the bitlocker keys will be ordered in descending order.

    However recently on the same DC I am unable to retrieve the information. I am able to see the bitlocker information when I am opening up the AD to manually look up the information but running the code recently doesn't return any results whereas it did before. No errors come up instead it just returns back to the prompt. I have located other code for retrieving bitlocker key but this too does not return any information to me, again it just takes me back to the prompt without any errors.

    I am running this query on a Server 2008 R2 Standard which is hosted on a VM.

    Greatly appreciate if anyone can help

    Ben

  • #73283

    Don Jones
    Keymaster

    I'd have to look at the specific permissions on that attribute. It's possible some patch changed them so they can't be queried in the same way.

    • #73639

      Ben
      Participant

      Thanks for the tip Don, I looked at a number of patches that had taken place last month on the server. A number of security patches that are for .net framework 3.5.1 but I was not able to find the relevant information on the MS site to provide me more detailed information. I am going to ask the MS community to see what help they can provide.

  • #76894

    Ben
    Participant

    Ok i had another further look into this. For some reason the code is working on 1 of the DC but not for the other. Though both DCs are Windows Server 2008 R2 Standard. Both I can see the bitlocker key in the AD GUI but not sure why the powershell code works on one DC but not the other. With no errors on the 2nd DC as mentioned earlier.

    I think this thread can be closed. Thanks for replying Don.:)

  • #77010

    David Flores
    Participant

    Is there any chance you're running PowerShell as "Admin" on one DC but not the other? In 2008 and above a lot of attributes are hidden unless you run your queries as Admin.

    Also,

    What happens when you target the bad DC from the good DC? Try this (where BADDC is the name of your failing server):

    Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties "msFVE-RecoveryPassword" -Server BADDC | select msFVE-RecoveryPassword

    Do you get the expected results? How about when you do the opposite and query the good DC from the bad one?

You must be logged in to reply to this topic.