Exporting TPM Owner Key and BitLocker Recovery Password from Active Directory via PowerShell

Synopsis: When looking up a BitLocker Recovery Password or TPM Owner Key, the process can be quite laborious.  This post contains a PowerShell script to help automate the process of manually looking at attributes in Active Directory to pull such information.

Download a copy of the script here (make sure to remove the .txt at the end): Get-TPMandBitlockerInfo.ps1.txt

Run the script with PowerShell

Get-TPMOwnerInfo - Run with PowerShell

Here are the results it should return
Get-TPMOwnerInfo - PowerShell

 

Here is a copy of the script in Plain Text

<#
.SYNOPSIS
    Automates the process on gathering BitLocker recovery password and TPM owner password.

.DESCRIPTION
    This script will lookup multiple attribute in Active Directory and display the correlating
    values that hold sensitive BitLocker information.  Additionally, the TPM Owner Password
    can be exported to a .tpm file, which can be used to make changes to the correlating machine.

.NOTES
    File Name      : Get-TPMandBitlockerInfo.ps1
    Author         : Jack Stromberg (jackstromberg.com)
    Prerequisite   : PowerShell V2 over Vista and upper
    Version History: 2/5/2015 (original release)

.LINK
    Script posted over at:
    http://jackstromberg.com/2015/02/exporting-tpm-owner-key-and-bitlocker-recovery-password-from-active-directory-via-powershell/
#>

clear
Write-Host "~Enter in the correct credentials to access the BitLocker and TPM Owner attributes~"
$UserName = Read-Host "Enter User Name" 
$Password = Read-Host -AsSecureString "Enter Your Password" 
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName , $Password 

# Get input on which machine to lookup
$computer = Read-Host 'Enter in machine name'

# Import our Active Directory PowerShell commands
Import-Module ActiveDirectory

# Check if the Computer Object exists in AD
$computerObject = Get-ADComputer -Filter {cn -eq $computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer -Credential $credential
if($computerObject -eq $null){
    Write-Host "Computer object not found.  Exiting the script..."
    Cmd /c pause
	Exit
}

# Windows Vista and 7 stores the TPM owner password in the msTPM-OwnerInformation attribute, check that first.
# If the key hasn't been stored there, check the msTPM-TpmInformationForComputer object to see if it was backed up on a Win 8 or greater machine
if($computerObject.'msTPM-OwnerInformation' -eq $null){
    #Check if the computer object has had the TPM info backed up to AD
    if($computerObject.'msTPM-TpmInformationForComputer' -ne $null){
        # Grab the TPM Owner Password from the msTPM-InformationObject
        $TPMObject = Get-ADObject -Identity $computerObject.'msTPM-TpmInformationForComputer' -Properties msTPM-OwnerInformation  -Credential $credential
        $TPMRecoveryKey = $TPMObject.'msTPM-OwnerInformation'
    }else{
        $TPMRecoveryKey = '<not set>'
    }
}else{
    # Windows 7 and older OS TPM Owner Password
    $TPMRecoveryKey = $computerObject.'msTPM-OwnerInformation'
}

# Check if the computer object has had a BitLocker Recovery Password backed up to AD
$BitLockerObject = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computerObject.DistinguishedName -Properties 'msFVE-RecoveryPassword' -Credential $credential | Select-Object -Last 1
if($BitLockerObject.'msFVE-RecoveryPassword'){
    $BitLockerRecoveryKey = $BitLockerObject.'msFVE-RecoveryPassword'
}else{
    $BitLockerRecoveryKey = '<not set>'
}

#Print out our findings
Write-Host 'TPM Owner Recovery Key:' $TPMRecoveryKey
Write-Host 'BitLocker Recovery Password:' $BitLockerRecoveryKey

# Export TPM Owner Password File
if($computerObject.'msTPM-TpmInformationForComputer' -ne $null){
    $exportToFile = Read-Host 'Would you like to export the recovery key [y or n]'
    if($exportToFile -ne 'y'){
        Exit
    }

    $TPMOwnerFile = '<?xml version="1.0" encoding="UTF-8"?><ownerAuth>' + $TPMRecoveryKey + '</ownerAuth>'
    $TPMOwnerFile | Out-File "TPMOwnerPasswordFile.tpm"
}else{
    Cmd /c pause
}

11 thoughts on “Exporting TPM Owner Key and BitLocker Recovery Password from Active Directory via PowerShell

  1. Pingback: [Tutorial] Configuring BitLocker to store recovery keys in Active Directory | Jack Stromberg

  2. Vance Langlois

    Have you tried this with windows 8.1? TPM manager does not accept the file. It seems that windows 7 uses 28 digit code and windows 8.1 uses 27 digit.

    I am stuck and am looking for options.

    ThanX:

    Vance

    Reply
    1. Jack Post author

      Hey Vance,

      I can confirm it does work with Windows 8.1; I tried my testing out on a Surface Pro 2 running 8.1. Can you confirm if the BitLocker info is being stored in AD? They should be in the TPM Devices container in ADUC.

      Jack

      Reply
  3. Darren

    Firstly, thanks for an excellent script!
    I found that PowerShell was outputting the file to UCS-2 format, then didn't work. I converted to UTF-8 using Notepad++ and it was then ok.
    You can specify the encoding for Out-File, so just change the line:
    $TPMOwnerFile | Out-File "TPMOwnerPasswordFile.tpm"
    to
    $TPMOwnerFile | Out-File "TPMOwnerPasswordFile.tpm" "utf8"
    Alternatively you can change the line:
    $TPMOwnerFile = '' + $TPMRecoveryKey + ''
    to
    $TPMOwnerFile = '' + $TPMRecoveryKey + ''
    which also worked.

    The alternative change I added should just replace ‘UTF-8′ with ‘Unicode’ in the output text on the ‘xml version’ line, but it looks like it isn’t showing that bit! Unicode interprets UCS-2 encoding for this ok.

    Darren

    Reply
    1. Jack Post author

      Thanks for the feedback Darren. Unfortunately, wordpress likes the non utf-8 characters, which kinda mixes things up 🙁

      Glad the script helped!
      Jack

      Reply
  4. blanquefort

    Thanx for this useful script. Its also well commented for powershell newbies like me. Good work.

    Reply
  5. ashraf

    not working with windows server 2012

    ====================================================================
    ~Enter in the correct credentials to access the BitLocker and TPM Owner attributes~
    Enter User Name: xxxxxxxx
    Enter Your Password: *************
    Enter in machine name: xxxxxxxxx
    Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
    At C:\Users\ZAINAMO2\Downloads\Get-TPMandBitlockerInfo.ps1:31 char:1
    + Import-Module ActiveDirectory
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

    Get-ADComputer : The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Users\ZAINAMO2\Downloads\Get-TPMandBitlockerInfo.ps1:34 char:19
    + $computerObject = Get-ADComputer -Filter {cn -eq $computer} -Property ...
    + ~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-ADComputer:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Computer object not found. Exiting the script...
    Press any key to continue . . .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *