Endpoint Security: BitLocker Key Escrow to IT Glue
The Workflow The Implementation Relying on manual documentation for BitLocker recovery keys often results in locked data when an endpoint fails. This script automates the escrow process, pulling the active numeric password from the local disk and pushing it directly into an IT Glue configuration record via their REST API. 1. The Workflow The script performs the following steps: Extraction: Queries the WMI namespace for the active, 48-digit BitLocker Numeric Password on the OS drive. Authentication: Connects to the IT Glue API using a secure organizational API key. Payload Delivery: Matches the local Hostname to the IT Glue Configuration ID and PATCHes the “BitLocker Key” custom field with the extracted key. 2. The Implementation # IT Glue API Configuration $ITGKey = "YOUR_ITGLUE_API_KEY" $ITGBaseUrl = "[https://api.itglue.com](https://api.itglue.com)" $Header = @{ "x-api-key" = $ITGKey "Content-Type" = "application/vnd.api+json" } $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive $RecoveryKey = ($BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }).RecoveryPassword $SearchUri = "$ITGBaseUrl/configurations?filter[name]=$env:COMPUTERNAME" $ConfigRecord = Invoke-RestMethod -Uri $SearchUri -Method Get -Headers $Header if ($ConfigRecord.data) { $Payload = @{ data = @{ type = "configurations" attributes = @{ "custom-fields" = @{ "bitlocker-recovery-key" = $RecoveryKey } } } } | ConvertTo-Json -Depth 10 Invoke-RestMethod -Uri "$ITGBaseUrl/configurations/$($ConfigRecord.data[0].id)" -Method Patch -Headers $Header -Body $Payload }