Query for keys in Azure Active Directory using the following command:
PS> Get-AzureADWHfBKeys -Logging -Report -Tenant contoso.com -All | Export-Csv C:\AzureKeys.csv
This command will query the “contoso.com ” tenant for all registered Windows Hello for Business public keys and will output that information to C:\AzureKeys.csv . Replace contoso.com with your tenant name to query your tenant.
The Csv output, AzureKeys.csv , will contain the following information for each key:
- User Principal Name
- Tenant
- Usage
- Key ID
- Creation Time
- Orphaned Status
- Supports Notify Status
- ROCA Vulnerability Status
Get-AzureADWHfBKeys will also output a summary of the keys that were queried. This summary provides the following information:
- Number of users scanned
- Number of keys scanned
- Number of users with keys
- Number of ROCA vulnerable keys
Note There may be stale devices in your Azure AD tenant with Windows Hello for Business keys associated with them. These keys will not be reported as orphaned even though those devices are not being actively used. We recommend following How To: Manage stale devices in Azure AD to clean up stale devices before querying for orphaned keys.
Query for keys in Active Directory using the following command:
PS> Get-ADWHfBKeys -Logging -Report -Domain contoso | Export-Csv C:\ADKeys.csv
This command will query the “contoso ” domain for all registered Windows Hello for Business public keys and will output that information to C:\ADKeys.csv . Replace contoso with your domain name to query your domain.
The Csv output, ADKeys.csv , will contain the following information for each key:
- User Domain
- User SAM Account Name
- User Distinguished Name
- Key Version
- Key ID
- Creation Time
- Key Material
- Key Source
- Key Usage
- Key Device ID
- Approximate Last Logon Timestamp
- Creation time
- Custom Key Information
- KeyLinkTargetDN
- Orphaned Status
- ROCA Vulnerability Status
- KeyRawLDAPValue
Get-ADWHfBKeys will also output a summary of the keys that were queried. This summary provides the following information:
- Number of users scanned
- Number of users with keys
- Number of keys scanned
- Number of ROCA vulnerable keys
- Number of orphaned keys (if -SkipCheckForOrphanedKeys not specified)
Note: If you have a hybrid environment with Azure AD joined devices and run “Get-ADWHfBKeys” in your on-premises domain, the number of orphaned keys may not be accurate. This is because Azure AD joined devices are not present in Active Directory and keys associated with Azure AD joined devices may show up as orphaned.
|