<#
.SYNOPSIS
    This script retrieves the Bitlocker keys from the enterprise API and optionally deletes the x oldest keys if the total count exceeds 200.

.DESCRIPTION
This script retrieves BitLocker recovery keys from the enterprise API and optionally deletes the oldest keys if the total count exceeds a threshold.
It does not require authetnication to Graph as it uses the MS-Organization-Access certificate to access the enterprise API.

Created on:   2025-03-13
Created by:   Ben Whitmore / Rudy Ooms @PatchMyPC
Filename:     Get-BitLockerKeys.ps1

    ---------------------------------------------------------------------------------
LEGAL DISCLAIMER

The PowerShell script provided is shared with the community as-is
The author and co-author(s) make no warranties or guarantees regarding its functionality, reliability, or suitability for any specific purpose
Please note that the script may need to be modified or adapted to fit your specific environment or requirements
It is recommended to thoroughly test the script in a non-production environment before using it in a live or critical system
The author and co-author(s) cannot be held responsible for any damages, losses, or adverse effects that may arise from the use of this script
You assume all risks and responsibilities associated with its usage
---------------------------------------------------------------------------------

.NOTES
    Requires admin privileges and an MS-Organization-Access certificate.
#>

# Configuration
$KeysToDeleteCount = 10

# Retrieve the MS-Organization-Access certificate
$Certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Issuer -like "*MS-Organization-Access*" } | Select-Object -First 1

if (-not $Certificate) {
    Write-Host "Error: MS-Organization-Access certificate not found."
    exit
}

# Extract Device ID from the certificate subject
if ($Certificate.Subject -match "CN=([a-f0-9\-]+)") {
    $DeviceId = $matches[1]
}
else {
    Write-Host "Error: Unable to extract Device ID from the certificate."
    exit
}

Write-Host "Extracted Device ID: $DeviceId"

# Construct API request details
$BitLockerUrl = "https://enterpriseregistration.windows.net/manage/common/bitlocker/$DeviceId"
$Headers = @{
    "User-Agent"              = "BitLocker/10.0.27783 (Windows)"
    "Accept"                  = "application/json"
    "ocp-adrs-client-name"    = "Windows"
    "ocp-adrs-client-version" = "10.0.27783"
}

$Results = @()

# Retrieve BitLocker key details
try {
    Write-Host "Retrieving BitLocker key details from enterprise API..."
    $Response = Invoke-WebRequest -Uri $BitLockerUrl -Method GET -Headers $Headers -Certificate $Certificate
    $KeyData = $Response.Content | ConvertFrom-Json

    if ($KeyData.keys) {
        foreach ($Key in $KeyData.keys) {
            $Results += [PSCustomObject]@{
                KeyId        = $Key.kid
                CreationTime = $Key.creationtime
                VolumeType   = $Key.volumetype
            }
        }
    }
    else {
        Write-Host "No BitLocker key details found for this device."
    }
} 
catch {
    Write-Host "Error retrieving BitLocker key details: $($_.Exception.Message)"
}

# Process results
if ($Results.Count -gt 0) {
    Write-Host "`nBitLocker Key Details Summary:"
    $Results | Format-Table -AutoSize
    Write-Host "Total BitLocker keys found: $($Results.Count)"
    
    if ($Results.Count -ge 200) {
        $SortedKeys = $Results | Sort-Object CreationTime
        $KeysToDelete = $SortedKeys | Select-Object -First $KeysToDeleteCount
    
        Write-Host "Would delete the following $($KeysToDelete.Count) oldest BitLocker keys:"
        $KeysToDelete | Format-Table -Property KeyId, CreationTime, VolumeType -AutoSize
    
        $BitLockerDeleteURL = "https://enterpriseregistration.windows.net/manage/common/bitlocker/$deviceId"
        $confirmation = Read-Host "Do you want to proceed with deletion? (Y/N)"
        
        if ($confirmation -eq 'Y') {
            $KeyIdsToDelete = $KeysToDelete | Select-Object -ExpandProperty KeyId
            $DeleteBody = @{ "kids" = $KeyIdsToDelete } | ConvertTo-Json -Compress
        
            try {
                $DeleteResponse = Invoke-WebRequest -Uri $BitLockerDeleteURL -Method Delete -Headers $Headers -Certificate $Certificate -Body $DeleteBody -ContentType "application/json"
                Write-Host "Successfully deleted $($KeysToDelete.Count) stale BitLocker Recovery Keys:"
                Write-Host $DeleteResponse.Content
            }
            catch {
                Write-Host "Failed to delete BitLocker Recovery Keys. Error: $_"
            }
        }
        else {
            Write-Host "Deletion cancelled by user."
        }
    }
    else {
        Write-Host "Key count is $($Results.Count), which is less than 200. No keys will be deleted."
    }
} 
else {
    Write-Host "No BitLocker key details found."
}