Merge pull request #574 from TheJumpCloud/UN-2212_Command_Template_Re…

…moving_Extra_BitLocker_Passwords UN-2212 Command Template for Removing Extra BitLocker Numerical Passwords
TheJumpCloud · May 28, 2024 · 621f46b · 621f46b
2 parents ac88be4 + f5eb386
commit 621f46b
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/...Gallery/Windows Commands/Windows - Remove Extra Bitlocker Recovery Passwords.md b/...Gallery/Windows Commands/Windows - Remove Extra Bitlocker Recovery Passwords.md
@@ -0,0 +1,67 @@
+#### Name
+
+Windows - Remove Extra Bitlocker Recovery Passwords | v1.0 JCCG
+
+#### commandType
+
+windows
+
+#### Command
+
+```powershell
+function Get-OsVolumeLetter {
+  return Get-WmiObject -Class Win32_OperatingSystem -Property SystemDrive | Select-Object -ExpandProperty SystemDrive
+}
+
+function Remove-NonMatchingBitLockerRecoveryPasswords {
+  try {
+    $osVolumeLetter = Get-OsVolumeLetter
+    $bitLockerVolume = Get-BitLockerVolume -MountPoint $osVolumeLetter
+
+    if(!$bitLockerVolume) {
+      Write-Host "$osVolumeLetter Volume does not have an associated BitLocker volume."
+      exit 1
+    }
+
+    $passwords = $bitLockerVolume.KeyProtector.Where({$_.KeyProtectorType -eq "RecoveryPassword"})
+
+    if(!$passwords) {
+      Write-Host "The System Drive $osVolumeLetter does not have an available Recovery Key."
+      exit 1
+    }
+
+    $recoveryKey = $passwords[0].RecoveryPassword
+
+    # Get all recovery keys that do not match the passed in key.
+    $nonMatchingpswds = $bitLockerVolume.KeyProtector.Where({$_.RecoveryPassword -ne "$recoveryKey" -and $_.KeyProtectorType -eq "RecoveryPassword"})
+
+    foreach($pswd in $nonMatchingpswds) {
+      $recoveryPasswords = $bitLockerVolume.KeyProtector.Where({$_.KeyProtectorType -eq "RecoveryPassword"})
+      $numPasswords = [int]$recoveryPasswords.count
+
+      if($numPasswords -gt 1) {
+        # Remove all non-matching keys.
+        Remove-BitLockerKeyProtector -MountPoint $osVolumeLetter -KeyProtectorId $pswd.KeyProtectorId -ErrorAction Stop
+      }
+    }
+  }
+  catch {
+    Write-Host "$_"
+    exit 1
+  }
+}
+
+Remove-NonMatchingBitLockerRecoveryPasswords
+```
+
+#### Description
+
+WARNING: This script attempts to remove extra Bitlocker Recovery passwords. Ideal use of this script would be at a time when there is a low chance of the device rebooting.
+
+#### _Import This Command_
+
+To import this command into your JumpCloud tenant run the below command using the [JumpCloud PowerShell Module](https://github.com/TheJumpCloud/support/wiki/Installing-the-JumpCloud-PowerShell-Module)
+
+```
+Import-JCCommand -URL "https://github.com/TheJumpCloud/support/blob/master/PowerShell/JumpCloud%20Commands%20Gallery/Windows%20Commands/Windows%20-%20Remove%20Extra%20Bitlocker%20Recovery%20Passwords.md"
+```
diff --git a/PowerShell/JumpCloud Commands Gallery/commands.json b/PowerShell/JumpCloud Commands Gallery/commands.json
@@ -349,6 +349,13 @@
     "link": "https://github.com/TheJumpCloud/support/blob/master/PowerShell/JumpCloud%20Commands%20Gallery/Windows%20Commands/Windows%20-%20List%20All%20Users.md",
     "description": "Lists all user accounts on a Windows system and shows if the account is enabled or disabled"
   },
+  {
+    "name": "Windows - Remove Extra Bitlocker Recovery Passwords | v1.0 JCCG",
+    "type": "windows",
+    "command": "function Get-OsVolumeLetter {\n  return Get-WmiObject -Class Win32_OperatingSystem -Property SystemDrive | Select-Object -ExpandProperty SystemDrive\n}\n\nfunction Remove-NonMatchingBitLockerRecoveryPasswords {\n  try {\n    $osVolumeLetter = Get-OsVolumeLetter\n    $bitLockerVolume = Get-BitLockerVolume -MountPoint $osVolumeLetter\n\n    if(!$bitLockerVolume) {\n      Write-Host \"$osVolumeLetter Volume does not have an associated BitLocker volume.\"\n      exit 1\n    }\n\n    $passwords = $bitLockerVolume.KeyProtector.Where({$_.KeyProtectorType -eq \"RecoveryPassword\"})\n\n    if(!$passwords) {\n      Write-Host \"The System Drive $osVolumeLetter does not have an available Recovery Key.\"\n      exit 1\n    }\n\n    $recoveryKey = $passwords[0].RecoveryPassword\n\n    # Get all recovery keys that do not match the passed in key.\n    $nonMatchingpswds = $bitLockerVolume.KeyProtector.Where({$_.RecoveryPassword -ne \"$recoveryKey\" -and $_.KeyProtectorType -eq \"RecoveryPassword\"})\n\n    foreach($pswd in $nonMatchingpswds) {\n      $recoveryPasswords = $bitLockerVolume.KeyProtector.Where({$_.KeyProtectorType -eq \"RecoveryPassword\"})\n      $numPasswords = [int]$recoveryPasswords.count\n\n      if($numPasswords -gt 1) {\n        # Remove all non-matching keys.\n        Remove-BitLockerKeyProtector -MountPoint $osVolumeLetter -KeyProtectorId $pswd.KeyProtectorId -ErrorAction Stop\n      }\n    }\n  }\n  catch {\n    Write-Host \"$_\"\n    exit 1\n  }\n}\n\nRemove-NonMatchingBitLockerRecoveryPasswords",
+    "link": "https://github.com/TheJumpCloud/support/blob/master/PowerShell/JumpCloud%20Commands%20Gallery/Windows%20Commands/Windows%20-%20Remove%20Extra%20Bitlocker%20Recovery%20Passwords.md",
+    "description": "WARNING: This script attempts to remove extra Bitlocker Recovery passwords. Ideal use of this script would be at a time when there is a low chance of the device rebooting."
+  },
   {
     "name": "Windows - Rename System HostName from JumpCloud | v2.0 JCCG",
     "type": "windows",