Retrieve Recovery Keys for All Devices Using JumpCloud PowerShell

Overview

This article explains how to install the JumpCloud PowerShell module, authenticate it, and run a command to retrieve all BitLocker (FDE) recovery keys from devices managed by JumpCloud.

The process works on Windows, macOS, and Linux as long as PowerShell is installed.

1. Install PowerShell (If Not Installed Already)

If you're using macOS or Linux and do not have PowerShell installed, follow Microsoft’s guide below:

On Windows, PowerShell is already available by default.

2. Install the JumpCloud PowerShell Module

Open PowerShell (or pwsh on macOS/Linux), then run:

Install-Module JumpCloud -Scope CurrentUser

When prompted, press:

[Y] Yes

Example prompt:

Untrusted repository
You are installing the modules from an untrusted repository...
[Y] Yes  [A] Yes to All  [N] No ...

Choose Y to continue.

3. Authenticate the Module

You need your JumpCloud API Key.

How to find it:
JumpCloud Admin Console → Your Profile → API Key

Once you have it, run:

Connect-JCOnline

You will be prompted to enter the API key:

JumpCloudAPIKey:

If successful, you will see a confirmation message.

If an update is available, PowerShell will prompt you:

A new version of JumpCloud is available. Update?

You may choose Y to update.

4. Retrieve BitLocker (FDE) Recovery Keys for All Devices

Once authenticated, run the following command:

Get-JCSystem | ? fde -Like "*keyPresent=True; active=True*" | Select-object hostname, _id, @{Name='key';Expression={Get-JCSystem -SystemID $_._id -SystemFDEKey | Select-object -expandProperty key}} | Export-CSV JCSystemFDEKeys.CSV

✔ What this command does:

• Finds all systems with FDE enabled and a recovery key present.

• Retrieves each device’s BitLocker key.

• Exports the results into JCSystemFDEKeys.csv in the current directory.

5. Output Example

The exported CSV includes:

6. Important Notes

• Recovery keys are only available for systems where JumpCloud successfully escrowed the BitLocker key.