Recovery Keys

Yes you can. I’ve the script somewhere I’ll try and dig it out or find the post. Obviously it won’t work for the C/R keys if you still use those? 

Thank you, where do I run it?

Option Explicit

Dim scripting
Dim scriptingCR
Dim ScriptingDirectory
Dim ScriptingInventory
Dim result
Dim ret
Dim errorText
Dim Computername
Dim adsMachine
Dim otype
Dim objArgs
Dim FSO
dim email
dim yn
Dim objMessage
Dim objWshShell
Dim StrCommand
Dim StrUser
Dim strEvent
Dim hitCount
Dim idx
Dim hitCountDrives
Dim idxDrive
Dim softwareId
Dim propertyValue
Dim propertyString
Dim DriveId
Dim response
Dim RecoveryPassword
Dim POAType
Dim MachineName
Dim DriveName
Dim EncryptionState
Dim objKeyFile
Dim strPath
Dim KeyFileName
Dim objLogFile
Dim Counter

Const ForWriting = 2  

Set FSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")

Dim bekDestinationDirectoryRoot : bekDestinationDirectoryRoot = "c:\SGNData\BLRecoveryKeys\"
Dim bekDestinationFileName
Dim bekDestinationDirectory

If strPath = "" Then 
	strPath = Wscript.ScriptFullName
	strPath = Mid(strPath,1,InstrRev(strPath,".")-1)
End If

Set objLogFile = FSO.OpenTextFile(strPath & ".log", 8,True)

Sub WriteError (Text)
	objLogFile.WriteLine now() & " : " & Text & " - Exiting!"
	objLogFile.Close
	Wscript.Quit 
End Sub

Sub WriteInfo (Text)
	objLogFile.WriteLine now() & " : " & Text
End Sub




Set Scripting = wscript.CreateObject("Utimaco.SafeGuard.AdministrationConsole.Scripting.Base")
Set ScriptingCR = Scripting.CreateCRClassInstance()
Set ScriptingDirectory = Scripting.CreateDirectoryClassInstance()
Set ScriptingInventory = Scripting.CreateInventoryClassInstance()

result = scripting.Initialize()
WriteInfo "Scripting.Initialize result: " & result

result = scripting.AuthenticateService()
WriteInfo "Scripting.AuthenticateService() result: " & result

result = scriptingCR.Initialize()
WriteInfo "ScriptingCR.Initialize result: " & result

result = scriptingDirectory.Initialize()
WriteInfo "ScriptingDirectory.Initialize result: " & result

result = ScriptingInventory.Initialize()
WriteInfo "ScriptingInventory.Initialize result: " & result

result = ScriptingDirectory.GetObjectInitialize("*","",1,hitcount) 
WriteInfo "ScriptingDirectory.GetObjectInitialize result: " & result
WriteInfo "ScriptingDirectory.GetObjectInitialize hitCount: " & hitCount
If result=0 and hitCount>0 Then 
 For counter=0 to hitCount-1
   result = ScriptingDirectory.GetObjectByIndex(counter, adsMachine,otype)
   WriteInfo "ScriptingDirectory.GetObjectByIndex result: " & result
   If result = 0 Then
		WriteInfo "****************************************************************"
		result = ScriptingInventory.GetComputerInventory(adsMachine, "MachineName", propertyValue, propertyString)
		MachineName = propertyString
		WriteInfo "MachineName: " & MachineName
		result = ScriptingInventory.GetComputerInventory(adsMachine, "POAType", propertyValue, propertyString)
		POAType = propertyValue
		WriteInfo "POAType: " & POAType
		If POAType = "2" Then
			result = ScriptingInventory.GetDriveInventoryIdInitialize(adsMachine,hitCountDrives)
			WriteInfo "ScriptingInventory.GetDriveInventoryIdInitialize result: " & result
			idxDrive=0
			Do While idxDrive < hitCountDrives
				result = ScriptingInventory.GetDriveInventoryIdByIndex(idxDrive,driveId)
				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "DriveName", propertyValue, propertyString)
				DriveName = propertyString
				WriteInfo "DriveName: " & DriveName
				result = ScriptingInventory.GetDriveInventory(adsMachine, driveId, "State", propertyValue, propertyString)
				EncryptionState = propertyValue
				WriteInfo "EncryptionState: " & EncryptionState
				If EncryptionState = "2" Then
					bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
					If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
						FSO.CreateFolder(bekDestinationDirectory)
					End If
					result=ScriptingCR.BitLockerRecovery(adsMachine, DriveName, response)
					WriteInfo "ScriptingCR.BitLockerRecovery result: " & result
					if Len(response) = 48 Then
						KeyFileName = bekDestinationDirectory & "Drive_" & DriveName & ".txt"
						WriteInfo "Writing recovery password to file: " & KeyFileName
						RecoveryPassword = Mid(response,1,6) & " " & Mid(response,6,6) & " " & Mid(response,12,6) & " " & Mid(response,18,6) & " " & Mid(response,24,6) & " " & Mid(response,30,6) & " " & Mid(response,36,6) & " " & Mid(response,42,6)
						WriteInfo "Recovery Password :" & RecoveryPassword
						Set objKeyFile = FSO.OpenTextFile(KeyFileName, ForWriting, True, 0  )
						objKeyFile.WriteLine(RecoveryPassword)
						objKeyFile.Close
						Set objKeyFile = Nothing 
					Else 
					  WriteInfo "ERROR: Invalid Recovery Password" & response
					End If
				End if
				idxDrive=idxDrive+1
			Loop
			result = ScriptingInventory.GetDriveInventoryIdFinalize()
		ElseIf POAType = "5" Then
			bekDestinationDirectory = bekDestinationDirectoryRoot & MachineName & "\"
			If NOT (FSO.FolderExists(bekDestinationDirectory)) Then
				FSO.CreateFolder(bekDestinationDirectory)
			End If
			result = ScriptingCR.ExportBitLockerRecoveryKey(adsMachine, bekDestinationDirectory, bekDestinationFileName)
			If result = 0 Then
			 WriteInfo "Key file succesfully written to file :" & bekDestinationFileName
			Else
			 WriteInfo "ERROR: Failed to export key file with error code: " & result
			End If
		End If
   End If
 Next
End If

result = ScriptingDirectory.GetObjectFinalize()

'Final
result = ScriptingInventory.FreeResources()
result = ScriptingDirectory.FreeResources()
result = ScriptingCR.FreeResources()
result = Scripting.FreeResources()

objLogFile.Close
Wscript.Quit 

It's a VBS script Dan - So copy and paste it into Notepad (or similar) and rename to "something.vbs"

How do I change the variables?

Copy and paste the whole script into Notepad.  Search the text for "DestinationDirectoryRoot" or where it says "c:\SGNData\BLRecoveryKeys" in the script change this to suit your own variables - or create the same two folders I did in the same location on C Drive! Save the changes and then run the script on the server. 

I get this..

Running it as Admin and on the SafeGuard server? I've not used it in a few years but will have a look again and see it still works as expected

Thanks, as doesn't give me the option to run as admin

Open a command prompt as Admin Dan. I would imagine you're running 64 bit too, so don't forget to run the 64 bit version of cscript.

So - Admin command prompt "c:\windows\syswow64\cscript c:\sgndata\BLRecoveryKeys\keys.vbs" in your case/screenshot I think.

Just ran it again on the server Dan and all still works well! Good luck...

Works fine thanks, so just creates the folders of each computer name with the rk in

Works fine thanks, so just creates the folders of each computer name with the rk in

Yup! You could modify it to merge into one but it's probably best this way. Obviously now they're exported they're static keys so if the key rotates it'll be out of date (like a TPM/motherboard replacement etc...) You could always set this to run on a schedule to keep it more "current" but it works well for what it is. Don't forget to secure this somewhere - it's now open to people bypassing your control methods if they just need to open a plain text file and not log a helpdesk ticket etc.... :)