\n#Requires<\/span> -Modules ImportExcel
\n<#
\n.SYNOPSIS
\nRetrieves bitlocker key upload status for all azure ad devices
\n.DESCRIPTION
\nUse this report to determine which of your devices have backed up their bitlocker key to AzureAD (and find those that haven’t and are at risk of data loss!).
\nReport will be stored in current folder.
\n.EXAMPLE
\nget-bitlockerEscrowStatusForAzureADDevices
\n.PARAMETER Credential
\nOptional, pass a credential object to automatically sign in to Azure AD. Global Admin permissions required
\n.PARAMETER showBitlockerKeysInReport
\nSwitch, is supplied, will show the actual recovery keys in the report. Be careful where you distribute the report to if you use this
\n.PARAMETER showAllOSTypesInReport
\nBy default, only the Windows OS is reported on, if for some reason you like the additional information this report gives you about devices in general, you can add this switch to show all OS types
\n.NOTES
\nfilename: get-bitlockerEscrowStatusForAzureADDevices.ps1
\nauthor: Jos Lieben
\nblog: www.lieben.nu<\/a>
\ncreated: 9/4/2019
\n#>
\n[cmdletbinding()]
\nParam(
\n$Credential,
\n[Switch]$showBitlockerKeysInReport,
\n[Switch]$showAllOSTypesInReport
\n)<\/p>\n
Import-Module AzureRM.Profile
\nif (Get-Module -Name “AzureADPreview” -ListAvailable) {
\nImport-Module AzureADPreview
\n} elseif (Get-Module -Name “AzureAD” -ListAvailable) {
\nImport-Module AzureAD
\n}<\/p>\n
if ($Credential) {
\nTry {
\nConnect-AzureAD -Credential $Credential -ErrorAction Stop | Out-Null
\n} Catch {
\nWrite-Warning “Couldn’t connect to Azure AD non-interactively, trying interactively.”
\nConnect-AzureAD -TenantId $(($Credential.UserName.Split(“@”))[1]) -ErrorAction Stop | Out-Null
\n}<\/p>\n
Try { Write-Verbose “Retrieved $($allDevices.Count) devices from AzureAD, processing information…”<\/p>\n $csvEntries = @() } $csvEntries += [PSCustomObject]@{“Name”=$device.displayName;“BitlockerKeysUploadedToAzureAD”=$keysKnownToAzure;“OS Drive encrypted”=$osDriveEncrypted;“lastKeyUploadDate”=$lastKeyUploadDate;“DeviceAccountEnabled”=$device.accountEnabled;“managed”=$device.isManaged;“ManagedBy”=$device.managedBy;“lastLogon”=$device.approximateLastLogonTimeStamp;“Owner”=$device.Owner.userPrincipalName;“bitlockerKeys”=$bitlockerKeys;“OS”=$device.deviceOSType;“OSVersion”=$device.deviceOSVersion;“Trust Type”=$device.deviceTrustType;“dirSynced”=$device.dirSyncEnabled;“Compliant”=$device.isCompliant;“Corporate”=$device.Ownership;“Personal”=$device.Ownership} get-bitlockerEscrowStatusForAzureADDevices<\/p>\n Here is the error function get-bitlockerEscrowStatusForAzureADDevices{ Import-Module AzureRM.Profile if ($Credential) { Try { Write-Verbose “Retrieved $($allDevices.Count) devices from AzureAD, processing information…”<\/p>\n $csvEntries = @() } $csvEntries += [PSCustomObject]@{“Name”=$device.displayName;“BitlockerKeysUploadedToAzureAD”=$keysKnownToAzure;“OS Drive encrypted”=$osDriveEncrypted;“lastKeyUploadDate”=$lastKeyUploadDate;“DeviceAccountEnabled”=$device.accountEnabled;“managed”=$device.isManaged;“ManagedBy”=$device.managedBy;“lastLogon”=$device.approximateLastLogonTimeStamp;“Owner”=$device.Owner.userPrincipalName;“bitlockerKeys”=$bitlockerKeys;“OS”=$device.deviceOSType;“OSVersion”=$device.deviceOSVersion;“Trust Type”=$device.deviceTrustType;“dirSynced”=$device.dirSyncEnabled;“Compliant”=$device.isCompliant;“Corporate”=$device.Ownership;“Personal”=$device.Ownership} get-bitlockerEscrowStatusForAzureADDevices<\/p>\n Here is the error If you post code, please use the ‘Insert Code’ button. Please and thank you!<\/p>\n
\nLogin-AzureRmAccount -Credential $Credential -ErrorAction Stop | Out-Null
\n} Catch {
\nWrite-Warning “Couldn’t connect to Azure RM non-interactively, trying interactively.”
\nLogin-AzureRmAccount -TenantId $(($Credential.UserName.Split(“@”))[1]) -ErrorAction Stop | Out-Null
\n}
\n} else {
\nLogin-AzureRmAccount -ErrorAction Stop | Out-Null
\n}
\n$context = Get-AzureRmContext
\n$tenantId = $context.Tenant.Id
\n$refreshToken = @($context.TokenCache.ReadItems() | where {$.tenantId -eq $tenantId -and $<\/em>.ExpiresOn -gt (Get-Date)})[0].RefreshToken
\n$body = “grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6”
\n$apiToken = Invoke-RestMethod \" https://login.windows.net/$tenantId/oauth2/token\"<\/a> ; -Method POST -Body $body -ContentType ‘application/x-www-form-urlencoded’
\n$restHeader = @{
\n‘Authorization’ = 'Bearer ’ + $apiToken.access_token
\n‘X-Requested-With’= ‘XMLHttpRequest’
\n‘x-ms-client-request-id’= [guid]::NewGuid()
\n‘x-ms-correlation-id’ = [guid]::NewGuid()
\n}
\nWrite-Verbose “Connected, retrieving devices…”
\n$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri \" https://main.iam.ad.ext.azure.com/api/Devices?nextLink=&queryParams={“searchText”%3A\"“}&top=15”<\/a> ; -Headers $restHeader
\n$allDevices = @()
\n$allDevices += $restResult.value
\nwhile($restResult.nextLink){
\n$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri \" https://main.iam.ad.ext.azure.com/api/Devices?nextLink=$([System.Web.HttpUtility]::UrlEncode($restRe<\/a> ; -Headers $restHeader
\n$allDevices += $restResult.value
\n}<\/p>\n
\nforeach($device in $allDevices){
\nif(!$showAllOSTypesInReport -and $device.deviceOSType -notlike “Windows*”){
\nContinue
\n}
\n$keysKnownToAzure = $False
\n$osDriveEncrypted = $False
\n$lastKeyUploadDate = $Null
\nif($device.deviceOSType -eq “Windows” -and $device.bitLockerKey.Count -gt 0){
\n$keysKnownToAzure = $True
\n$keys = $device.bitLockerKey | Sort-Object -Property creationTime -Descending
\nif($keys.driveType -contains “Operating system drive”){
\n$osDriveEncrypted = $True<\/p>\n
\n$lastKeyUploadDate = $keys[0].creationTime
\nif($showBitlockerKeysInReport){
\n$bitlockerKeys = “”
\nforeach($key in $device.bitlockerKey){
\n$bitlockerKeys += “$($key.creationTime)|$($key.driveType)|$($key.recoveryKey)|”
\n}
\n}else{
\n$bitlockerKeys = “HIDDEN FROM REPORT: READ INSTRUCTIONS TO REVEAL KEYS”
\n}
\n}else{
\n$bitlockerKeys = “NOT UPLOADED YET OR N/A”
\n$device.Ownership = “Corporate”
\n$device.Ownership = “Personal”
\n}<\/p>\n
\n}
\n$csvEntries | Export-Excel -workSheetName “BitlockerReport” -path “C:\\BitLockerReport.xlsx” -ClearSheet -TableName “BitlockerReport” -AutoSize -Verbose
\n}<\/p>\n
\nException setting “Ownership”: “The property ‘Ownership’ cannot be found on this object. Verify that the property exists and can be set.”<\/p>","upvoteCount":4,"answerCount":3,"datePublished":"2021-10-26T13:55:28.000Z","author":{"@type":"Person","name":"chet18","url":"https://community.spiceworks.com/u/chet18"},"suggestedAnswer":[{"@type":"Answer","text":"
\n#Requires<\/span> -Modules ImportExcel
\n<#
\n.SYNOPSIS
\nRetrieves bitlocker key upload status for all azure ad devices
\n.DESCRIPTION
\nUse this report to determine which of your devices have backed up their bitlocker key to AzureAD (and find those that haven’t and are at risk of data loss!).
\nReport will be stored in current folder.
\n.EXAMPLE
\nget-bitlockerEscrowStatusForAzureADDevices
\n.PARAMETER Credential
\nOptional, pass a credential object to automatically sign in to Azure AD. Global Admin permissions required
\n.PARAMETER showBitlockerKeysInReport
\nSwitch, is supplied, will show the actual recovery keys in the report. Be careful where you distribute the report to if you use this
\n.PARAMETER showAllOSTypesInReport
\nBy default, only the Windows OS is reported on, if for some reason you like the additional information this report gives you about devices in general, you can add this switch to show all OS types
\n.NOTES
\nfilename: get-bitlockerEscrowStatusForAzureADDevices.ps1
\nauthor: Jos Lieben
\nblog: www.lieben.nu<\/a>
\ncreated: 9/4/2019
\n#>
\n[cmdletbinding()]
\nParam(
\n$Credential,
\n[Switch]$showBitlockerKeysInReport,
\n[Switch]$showAllOSTypesInReport
\n)<\/p>\n
\nif (Get-Module -Name “AzureADPreview” -ListAvailable) {
\nImport-Module AzureADPreview
\n} elseif (Get-Module -Name “AzureAD” -ListAvailable) {
\nImport-Module AzureAD
\n}<\/p>\n
\nTry {
\nConnect-AzureAD -Credential $Credential -ErrorAction Stop | Out-Null
\n} Catch {
\nWrite-Warning “Couldn’t connect to Azure AD non-interactively, trying interactively.”
\nConnect-AzureAD -TenantId $(($Credential.UserName.Split(“@”))[1]) -ErrorAction Stop | Out-Null
\n}<\/p>\n
\nLogin-AzureRmAccount -Credential $Credential -ErrorAction Stop | Out-Null
\n} Catch {
\nWrite-Warning “Couldn’t connect to Azure RM non-interactively, trying interactively.”
\nLogin-AzureRmAccount -TenantId $(($Credential.UserName.Split(“@”))[1]) -ErrorAction Stop | Out-Null
\n}
\n} else {
\nLogin-AzureRmAccount -ErrorAction Stop | Out-Null
\n}
\n$context = Get-AzureRmContext
\n$tenantId = $context.Tenant.Id
\n$refreshToken = @($context.TokenCache.ReadItems() | where {$.tenantId -eq $tenantId -and $<\/em>.ExpiresOn -gt (Get-Date)})[0].RefreshToken
\n$body = “grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6”
\n$apiToken = Invoke-RestMethod \" https://login.windows.net/$tenantId/oauth2/token\"<\/a> ; -Method POST -Body $body -ContentType ‘application/x-www-form-urlencoded’
\n$restHeader = @{
\n‘Authorization’ = 'Bearer ’ + $apiToken.access_token
\n‘X-Requested-With’= ‘XMLHttpRequest’
\n‘x-ms-client-request-id’= [guid]::NewGuid()
\n‘x-ms-correlation-id’ = [guid]::NewGuid()
\n}
\nWrite-Verbose “Connected, retrieving devices…”
\n$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri \" https://main.iam.ad.ext.azure.com/api/Devices?nextLink=&queryParams={“searchText”%3A\"“}&top=15”<\/a> ; -Headers $restHeader
\n$allDevices = @()
\n$allDevices += $restResult.value
\nwhile($restResult.nextLink){
\n$restResult = Invoke-RestMethod -Method GET -UseBasicParsing -Uri \" https://main.iam.ad.ext.azure.com/api/Devices?nextLink=$([System.Web.HttpUtility]::UrlEncode($restRe<\/a> ; -Headers $restHeader
\n$allDevices += $restResult.value
\n}<\/p>\n
\nforeach($device in $allDevices){
\nif(!$showAllOSTypesInReport -and $device.deviceOSType -notlike “Windows*”){
\nContinue
\n}
\n$keysKnownToAzure = $False
\n$osDriveEncrypted = $False
\n$lastKeyUploadDate = $Null
\nif($device.deviceOSType -eq “Windows” -and $device.bitLockerKey.Count -gt 0){
\n$keysKnownToAzure = $True
\n$keys = $device.bitLockerKey | Sort-Object -Property creationTime -Descending
\nif($keys.driveType -contains “Operating system drive”){
\n$osDriveEncrypted = $True<\/p>\n
\n$lastKeyUploadDate = $keys[0].creationTime
\nif($showBitlockerKeysInReport){
\n$bitlockerKeys = “”
\nforeach($key in $device.bitlockerKey){
\n$bitlockerKeys += “$($key.creationTime)|$($key.driveType)|$($key.recoveryKey)|”
\n}
\n}else{
\n$bitlockerKeys = “HIDDEN FROM REPORT: READ INSTRUCTIONS TO REVEAL KEYS”
\n}
\n}else{
\n$bitlockerKeys = “NOT UPLOADED YET OR N/A”
\n$device.Ownership = “Corporate”
\n$device.Ownership = “Personal”
\n}<\/p>\n
\n}
\n$csvEntries | Export-Excel -workSheetName “BitlockerReport” -path “C:\\BitLockerReport.xlsx” -ClearSheet -TableName “BitlockerReport” -AutoSize -Verbose
\n}<\/p>\n
\nException setting “Ownership”: “The property ‘Ownership’ cannot be found on this object. Verify that the property exists and can be set.”<\/p>","upvoteCount":4,"datePublished":"2021-10-26T13:55:28.000Z","url":"https://community.spiceworks.com/t/what-am-i-missing-here-as-i-get-errors/815120/1","author":{"@type":"Person","name":"chet18","url":"https://community.spiceworks.com/u/chet18"}},{"@type":"Answer","text":"