Get SCCM BitLocker Recovery Key using Console Extension | PowerShell Script

Let’s check the easiest way to get SCCM Bitlocker Recovery Key for a Device using the Console extension. There are different ways to check the Bitlocker recovery using SQL query or MEM Admin center using Cloud Attach feature.

Let’s see the easiest method to check the recovery key from the SCCM admin console itself. I think this option is useful for helpdesk admin. They can get the Bitlocker Recovery key from the admin console. Also, check out the SCCM Bitlocker PowerShell script to get the recovery key.

Traditionally, the organizations were using the MBAM to manage Bitlocker Recovery keys with Active Directory integration. Many of them are already migrated to the SCCM BitLocker solution in our environment. Bitlocker recovery keys are stored in SCCM DB, but it’s encrypted.

Use SCCM to manage BitLocker Drive Encryption (BDE) for on-premises Active Directory Joined Windows 10 or 11 clients. Administration and monitoring websites (helpdesk portal) and self-service portals are also part of the SCCM Bitlocker solution.

Patch My PC

This post assumes you already have planned and completed the setup of Bitlocker with SCCM. All the settings are configured as per Microsoft documentation and work fine from the Windows client-side.

SCCM Bitlocker Console Extension

Let’s learn about SCCM Bitlocker Console Extension to get the recovery key for a Windows 11/10 client. This is published by a Microsoft Employee and Software Engineer Seth from SCCM (MEM) team.

I have explained the XML-Based architecture of console extensions. The new way of installing SCCM console extensions is in the gree SCCM Right Click Tools Community Console Extension post.

Console Extension global settings can be configured from SCCM console -> \Administration\Overview\Site Configuration\Sites -> Hierarchy settings -> General tab.

Adaptiva
Get SCCM BitLocker Recovery Key using Console Extension | PowerShell Script 1

Download 

Get the SCCM BitLocker Recovery Key console extension published in Community Hub. You can use the following link to get direct access and download the Bitlocker Recovery Key console extension.

Easy way to Get SCCM BitLocker Recovery Key for a Device 1
Easy way to Get SCCM BitLocker Recovery Key for a Device 1

An internet connection is required to download the content from GitHub using the community hub. The content is downloaded, and the console extension is created to Get BitLocker Recovery Key for a Device.

You can navigate to the following location in the SCCM console to get more details on the new right-click tool and the Bitlocker recovery key for Windows 11/10 devices. The Console Extension is the new home for all modern console extensions.

  • Navigate to \Administration\Overview\Updates and Servicing\Console Extensions.
  • Check out the Get BitLocker Recovery Key console extension.
Easy way to Get SCCM BitLocker Recovery Key for a Device 2
Easy way to Get SCCM BitLocker Recovery Key for a Device 2

Install SCCM Bitlocker Recovery Key Console Extension

Let’s install SCCM Bitlocker Recovery Key Console Extension. Before installing the console extension, you need to enable it to Install using Approve Installation button. The local Install button will be disabled until the extension is approved for installation.

Let’s follow the steps to Approve the Installation, and once approved, you can install the extension on the local computer/server.

  • Select Get Bitlocker Recovery Key Extension and click on Approve Installation button.
  • Click on Yes on the message box. “Are you sure you want to approve the selected console extensions for installation?”
  • Ensure the Approved column says YES against the Get Bitlocker Recovery Key extension.
  • Click on the Install button from the Local Extension section as shown below.
  • Click on the OK button when you see the message box with the following note.
Easy way to Get SCCM BitLocker Recovery Key for a Device 3
Easy way to Get SCCM BitLocker Recovery Key for a Device 3

This Install action will install the selected extension only on the local console. The console will get closed immediately after clicking on the OK button.

You will have to make sure all the other console instances are closed if you are doing this on a primary server or any terminal server. You get the following screen once the extension is installed. Click on the CLOSE button to restart the Configuration Manager console.

Read More -> How to Enable SCCM Console Notification From Microsoft | ConfigMgr

Easy way to Get SCCM BitLocker Recovery Key for a Device 4
Easy way to Get SCCM BitLocker Recovery Key for a Device 4

Make SCCM Bitlocker Recovery Key Extension Available

You can make SCCM Bitlocker Recovery Key Extension Available for other admins. The console notification is one of the best use cases for making the extension available and making it required for other Admins.

You can make the extension required by clicking on Require Extension button from the ribbon menu. Click on the YES button to make the console extension required.

NOTE! – If a required console isn’t installed, it will install automatically the next time a user launches the console with local admin privileges. The users without local admin privileges won’t be able to launch the console.

Easy way to Get SCCM BitLocker Recovery Key for a Device 4
Easy way to Get SCCM BitLocker Recovery Key for a Device 4

The file location of Bitlocker Recovery Key Extension

Let’s check the file location of the Bitlocker Recovery Key Extension. Here you go -> Drive Letter F:\Program Files\Microsoft Configuration Manager\AdminConsole\Extensions\3f72f649-c718-4f22-a993-d82e3920505b\.

This SCCM BitLocker recovery key extension calls a PowerShell script to get the recovery key details for a Windows 11 or Windows 10 device.

<ActionDescription Class="Executable" DisplayName="Get Recovery Key" MnemonicDisplayName="Get Recovery Key" Description="Gets the BitLocker Recovery Key for this device">
   <ShowOn>
      <string>DefaultContextualTab</string>
      <string>ContextMenu</string>
   </ShowOn>
   <Executable UseShellProcessing="false">
      <FilePath>powershell.exe</FilePath>
      <Parameters>-command .\..\Extensions\3f72f649-c718-4f22-a993-d82e3920505b\1.0\bin\RecoveryKey.ps1 ##SUB:ResourceId##</Parameters>
   </Executable>
</ActionDescription>
Easy way to Get SCCM BitLocker Recovery Key for a Device 5
Easy way to Get SCCM BitLocker Recovery Key for a Device 5

PowerShell Script to Get SCCM Bitlocker Recovery Key

Let’s check the PowerShell Script to Get SCCM Bitlocker Recovery Key. This is the PS script that is part of the Console Extension created by Seth.

NOTE! – This PS script gives you an example of how to use admin service communication for intranet scenarios, both HTTPS and Enhanced HTTP (no PKI cert required).

Easy way to Get SCCM BitLocker Recovery Key for a Device 6
Easy way to Get SCCM BitLocker Recovery Key for a Device 6
Param (
[string]$MachineId
)

# This function expects console to be installed
$ConsoleDir = "$ENV:SMS_ADMIN_UI_PATH\.."

function Connect-CMAdminService {

    $WqlConnectionManager = Get-WmiConnectionManager
    $ProviderMachineName = $WqlConnectionManager.NamedValueDictionary["ProviderMachineName"];

    # Create ODataConnectionManager to communicate with AdminService
    Add-Type -Path "$ConsoleDir\AdminUI.ODataQueryEngine.dll"
    $ODataConnectionManager = New-Object -TypeName "Microsoft.ConfigurationManagement.ManagementProvider.ODataQueryEngine.ODataConnectionManager" -ArgumentList $WqlConnectionManager.NamedValueDictionary,$WqlConnectionManager
    [void]($ODataConnectionManager.Connect($ProviderMachineName))

    return $ODataConnectionManager;
}

function Get-WmiConnectionManager {
    
    # Get the provider machine - add server name if remote from the site server
    $AllProviderLocations=Get-WmiObject -Query "SELECT * FROM SMS_ProviderLocation" -Namespace "root\sms"
    foreach($ProviderLocation in $AllProviderLocations)
    {
        $ProviderMachineName = $ProviderLocation.Machine

        # Pick first provider
        break;
    }

    Add-Type -Path "$ConsoleDir\AdminUI.WqlQueryEngine.dll"
    $WqlConnectionManager = New-Object -TypeName "Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager"
    [void]($WqlConnectionManager.Connect($ProviderMachineName))

    return $WqlConnectionManager;
}

function Invoke-CMGet {
    param (
        $odata,
        $query
    )

    # Use OData connection manager

    # This path takes care of admin service communication for intranet scenarios, both HTTPS and Enhanced HTTP (no PKI cert required)
    $results = $odata.ODataServiceCaller.ExecuteGetQuery($odata.BaseUrl + $query, $null);
    if ($null -ne $results)
    {
        return ($results.ToString() | ConvertFrom-Json).value;
    }
    return $null;

    # Using invoke REST method, for the intranet scenario, requires PKI cert bound to the port, but the same method can be used for token auth scenarios
    # $uri = $odata.BaseUrl + $query;
    # return (Invoke-RestMethod -Method Get -Uri $uri -UseDefaultCredentials).value;
}

function Invoke-CMPost {
    param (
        $odata,
        $query,
        $body
    )

    $jsonBody = (ConvertTo-Json $body);

    # Enable this to troubleshoot POST issues
    # Write-Host ($odata.BaseUrl + $query)
    # Write-Host $jsonBody

    # This path takes care of admin service communication for intranet scenarios, both HTTPS and Enhanced HTTP (no PKI cert required)
    $results = $odata.ODataServiceCaller.ExecutePost($odata.BaseUrl + $query, $null, $jsonBody);
    if ($null -ne $results)
    {
        return ($results.ToString() | ConvertFrom-Json);
    }
    return $null;

    # Using invoke REST method, for the intranet scenario, requires PKI cert bound to the port, but the same method can be used for token auth scenarios
    # $uri = $odata.BaseUrl + $query;
    # return (Invoke-RestMethod -Method Post -Uri $uri -UseDefaultCredentials -Body $jsonBody -ContentType "application/json");
}

function Get-CMDevice-GetRecoveryKeys {
    param (
        [string]$DeviceKey
    )
    
    $uri = "v1.0/Device($($DeviceKey))/RecoveryKeys";
    $odata = Connect-CMAdminService
    $results = Invoke-CMGet $odata $uri
    return $results
}

function Get-CMDevice-PostRecoveryKeyValue {
    param (
        [string]$MachineId,
        [string]$KeyId
    )
    
    $uri = "v1.0/Device($($MachineId))/AdminService.GetRecoveryKeyValue";
    $odata = Connect-CMAdminService
    $body = @{
        RecoveryKeyId = $KeyId;
    };
    Invoke-CMPost $odata $uri $body
}

$KeyIds = Get-CMDevice-GetRecoveryKeys $MachineId
Write-Output ($KeyIds | Format-List | Out-String)

if ([string]::IsNullOrEmpty($KeyIds))
{
    Write-Output "This device does not have any recovery key."
}
else
{
    $KeyId = Read-Host -Prompt "Enter the RecoveryKeyId you want the value for"
    $KeyValues = Get-CMDevice-PostRecoveryKeyValue $MachineId $KeyId
    Write-Output ($KeyValues | Format-List | Out-String)   
}

Right Click Tool – SCCM Bitlocker Recovery Key

Let’s find out the Right Click Tool to get SCCM Bitlocker Recovery Key using the PowerShell script called RecoveryKey.ps1.

You can navigate to the following location in the console to reach the “Get the Recovery Key” right-click menu option.

  • Navigate to \Assets and Compliance\Overview\Devices
  • Select the device that you want to get the Bitlocker Recovery Key.
  • Right-Click on the device object and select the Get Recovery Key option from the bottom, as you can see in the screenshot.
Easy way to Get SCCM BitLocker Recovery Key for a Device 7
Easy way to Get SCCM BitLocker Recovery Key for a Device 7

The following screenshot gives us an example where you don’t have a Bitlocker recovery key for a device. The results are shown in the PowerShell window. This is not the perfect enterprise-class solution, but this works perfectly fine for Helpdesk admins.

Easy way to Get SCCM BitLocker Recovery Key for a Device 8
Easy way to Get SCCM BitLocker Recovery Key for a Device 8

Tenant Attach | Cloud Attach Recovery Key Option

Let’s see the best option to get the Bitlocker Recovery Key for Tenant Attach/Cloud Attach Windows 11 or Windows 10 devices. You can get the Recovery Key details from the MEM Admin center portal.

You can navigate to the following option from the Devices node in the MEM Admin center (Intune) portal. The recovery key option will be available only for Tenant/Cloud Attach and Co-Managed scenarios.

Easy way to Get SCCM BitLocker Recovery Key for a Device 9
Easy way to Get SCCM BitLocker Recovery Key for a Device 9

19 thoughts on “Get SCCM BitLocker Recovery Key using Console Extension | PowerShell Script”

    • Are you able to check the recovery key from the web portals for all the devices? I wanted to make sure that everything related to SCCM Bitlocker is working perfectly fine.

      Reply
  1. When I run it, I can see the powershell window open then quickly close. Nothing else much happens. Has anyone found a resolution for that?

    Reply
  2. Get-WmiObject : Invalid namespace “root\sms”
    At line:24 char:27
    + … erLocations=Get-WmiObject -Query “SELECT * FROM SMS_ProviderLocation” …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    Exception calling “Connect” with “1” argument(s): “Value cannot be null.
    Parameter name: configMgrServerPath”
    At line:35 char:5
    + [void]($WqlConnectionManager.Connect($ProviderMachineName))
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

    Exception calling “Connect” with “1” argument(s): “parameter cannot be null, empty or whitespace”
    At line:16 char:5
    + [void]($ODataConnectionManager.Connect($ProviderMachineName))
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

    You cannot call a method on a null-valued expression.
    At line:49 char:5
    + $results = $odata.ODataServiceCaller.ExecuteGetQuery($odata.BaseU …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    Reply
  3. worked fine for me.. but how users can obtain the key for their device? i am missing this self-service-portal like the mbam server has it.
    Best wishes

    Reply
  4. Hello
    If you receive “Get-WmiObject : Invalid namespace “root\sms” , you need to edit the powershell script , from location :
    C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\Extensions\3f72f649-c718-4f22-a993-d82e3920505b\1.0\bin\RecoveryKey.ps1 ( or equivalent) …. , line 24 , also add : -ComputerName “YourSCCMSiteServerName”.

    Ex:

    $AllProviderLocations=Get-WmiObject -Query “SELECT * FROM SMS_ProviderLocation” -Namespace “root\sms” -ComputerName “YourSCCMSiteServerName”

    Reply
  5. I make the modification and the error disapear but whatever the computer i check who has bitlocker activate, the script always exit with : “This device does not have any recovery key”

    Any idea of what make it not working properly ?

    Thanks

    Reply
  6. I made the edit Cristi suggested, and it gets past that, but then I get this error. I am in no way a PS person, so any help here is appreciated.

    Exception calling “ExecuteGetQuery” with “2” argument(s): “PageNotFound”
    At line:49 char:5
    + $results = $odata.ODataServiceCaller.ExecuteGetQuery($odata.BaseU …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ODataObjectNotFoundException

    This device does not have any recovery key.

    Reply
  7. To get this to work from a remote system:

    action.xml:
    line 8: -executionpolicy remotesigned -command xxxxxxx

    recoverykey.ps1
    line 24: $AllProviderLocations=Get-WmiObject -computername SCCMPRIMARYSERVER -Query xxxxxxxxxx

    Reply
  8. I have applied all the suggested fixes so far but I am now getting the same thing as Warren – When I run it, I can see the Powershell window open, then quickly close. Nothing else much happens.

    Any suggestions on what we can try to fix this?

    Thank you!

    Reply
  9. Hello,

    I have tried it on primary SCCM server and it works very well. This is exactly what I need for local IT staff. I can not let them use site server for this purpose so I am looking the way how it run remotly. Off course I am getting the same results as above so want to ask ypu folks if anybody managed this right click tool running with remote console.

    Thanx!

    Reply
  10. @Tad let me add other thing.
    If somebody works with powershell every day, he has set his own profile.ps1.
    The script fails on permissions for that file.
    To avoid these red lines add this parameter in action.xml file:
    -NoProfile

    It will look like:
    -ExecutionPolicy RemoteSigned -NoProfile -command .\..\Extensions\3f72f649-c718-4f22-a993-d82e3920505b\1.0\bin\RecoveryKey.ps1 ##SUB:ResourceId##

    Reply
  11. Is there any way to get this extension installed into an “offline” SCCM environment that does not have Internet access? I work in disconnected environments and am implementing Bitlocker and would like to have this tool, in concert with SCCM Bitlocker control.

    Reply
  12. I installed the extenstions in my console. Previously when i would right click on a machines i would see the option to get the recovery key. However, now the option is not there on any console. I removed the extension and re-insalled it. Same issue. The option is no longer there. What has gone wrong?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.