As you may be aware, the AzureAD powershell module is being deprecated at the end of the year along with the AD Graph endpoint. As a result, all customers need to migrate their code to the Microsoft Graph endpoint. This blog post will show you how to use the Microsoft.Graph PowerShell module to get a list of devices that do not have a BitLocker Recovery key in Azure. This would apply to devices that are being managed by InTune.
The Microsoft.Graph PowerShell documentation can be found here. It must be installed first and please note, the installation takes quite a bit of time so please be patient as it does not notify you when it is done, you will just finally get a prompt again in PowerShell. I have seen it take as long as 30 minutes to complete.
We will be using 2 commands in this script:
- Get-MgInformationProtectionBitlockerRecoveryKey (Microsoft.Graph.Identity.SignIns) | Microsoft Docs to get a list of BitLocker Recovery Keys
- Get-MgDeviceManagementManagedDevice (Microsoft.Graph.DeviceManagement) | Microsoft Docs to get a list of Managed Devices
We will then compare the 2 lists and filter out those devices that are not found in the list of BitLocker Recovery Keys. This script requires you to sign-in as this cannot be performed in an application only scenario. You will also need to be in one of the admin roles listed here.
Here is the script
# Gets a list of managed devices that do not have a bitLocker Key and saves it to a .csv file
$outFilePath = 'c:\temp\DevicesWithNoRecoveryKeys.csv'
$hasError = $false
Connect-MgGraph -scopes "BitLockerKey.ReadBasic.All", "DeviceManagementManagedDevices.Read.All"
Select-MgProfile -Name v1.0
try{
$BitLockerRecoveryKeys = Get-MgInformationProtectionBitlockerRecoveryKey -All -Property "id, createdDateTime, deviceId" -ErrorAction Stop -ErrorVariable GraphError | Select-Object -Property id, createdDateTime, deviceId
$ManagedDevices = Get-MgDeviceManagementManagedDevice -All -Property "deviceName,id,azureADDeviceId" -Filter "operatingSystem eq 'Windows'" -ErrorAction Stop -ErrorVariable GraphError | Select-Object -Property deviceName, id, azureADDeviceId
$ManagedDevices | Where-Object { $PSItem.azureADDeviceId -notin $BitLockerRecoveryKeys.deviceId }
} catch {
Write-Host "Error downloading report: $GraphError.Message"
$hasError = $true
}
if(!$hasError){
try{
# Write-Host "Writing to .csv file..."
$ManagedDevices | Export-Csv -Path $outFilePath
Write-Host "Report saved at $outFilePath"
} catch {
Write-Host "Error saving .csv: $_.ErrorDetails.Message"
}
}
Disconnect-MgGraph
Please edit the first variable to reflect a valid folder path for the output file. If the file is open when the script runs, you will get an error. The output of this script is a list of devices that did not have a bitlocker recovery key. All of the fields in the output are related to the device, not the recovery keys.
Thanks for this. You say “…this cannot be performed in an application only scenario…”, could you elaborate?
Hi Diego,
This means the Microsoft Graph endpoints discussed here only supports Delegated Permission token. It does not support Application permission token (authentication to Azure AD using client credentials grant flow with a client ID and a secret/certificate). See https://blogs.aaddevsup.xyz/2019/07/understanding-the-difference-between-application-and-delegated-permissions-from-oauth2-authentication-flows-perspective/ for more information on the difference between the two types.