Synopsis: When looking up a BitLocker Recovery Password or TPM Owner Key, the process can be quite laborious. This post contains a PowerShell script to help automate the process of manually looking at attributes in Active Directory to pull such information.
Download a copy of the script here (make sure to remove the .txt at the end): Get-TPMandBitlockerInfo.ps1.txt
Run the script with PowerShell
Here are the results it should return
Here is a copy of the script in Plain Text
<# .SYNOPSIS Automates the process on gathering BitLocker recovery password and TPM owner password. .DESCRIPTION This script will lookup multiple attribute in Active Directory and display the correlating values that hold sensitive BitLocker information. Additionally, the TPM Owner Password can be exported to a .tpm file, which can be used to make changes to the correlating machine. .NOTES File Name : Get-TPMandBitlockerInfo.ps1 Author : Jack Stromberg (jackstromberg.com) Prerequisite : PowerShell V2 over Vista and upper Version History: 2/5/2015 (original release) .LINK Script posted over at: http://jackstromberg.com/2015/02/exporting-tpm-owner-key-and-bitlocker-recovery-password-from-active-directory-via-powershell/ #> clear Write-Host "~Enter in the correct credentials to access the BitLocker and TPM Owner attributes~" $UserName = Read-Host "Enter User Name" $Password = Read-Host -AsSecureString "Enter Your Password" $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName , $Password # Get input on which machine to lookup $computer = Read-Host 'Enter in machine name' # Import our Active Directory PowerShell commands Import-Module ActiveDirectory # Check if the Computer Object exists in AD $computerObject = Get-ADComputer -Filter {cn -eq $computer} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer -Credential $credential if($computerObject -eq $null){ Write-Host "Computer object not found. Exiting the script..." Cmd /c pause Exit } # Windows Vista and 7 stores the TPM owner password in the msTPM-OwnerInformation attribute, check that first. # If the key hasn't been stored there, check the msTPM-TpmInformationForComputer object to see if it was backed up on a Win 8 or greater machine if($computerObject.'msTPM-OwnerInformation' -eq $null){ #Check if the computer object has had the TPM info backed up to AD if($computerObject.'msTPM-TpmInformationForComputer' -ne $null){ # Grab the TPM Owner Password from the msTPM-InformationObject $TPMObject = Get-ADObject -Identity $computerObject.'msTPM-TpmInformationForComputer' -Properties msTPM-OwnerInformation -Credential $credential $TPMRecoveryKey = $TPMObject.'msTPM-OwnerInformation' }else{ $TPMRecoveryKey = '<not set>' } }else{ # Windows 7 and older OS TPM Owner Password $TPMRecoveryKey = $computerObject.'msTPM-OwnerInformation' } # Check if the computer object has had a BitLocker Recovery Password backed up to AD $BitLockerObject = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computerObject.DistinguishedName -Properties 'msFVE-RecoveryPassword' -Credential $credential | Select-Object -Last 1 if($BitLockerObject.'msFVE-RecoveryPassword'){ $BitLockerRecoveryKey = $BitLockerObject.'msFVE-RecoveryPassword' }else{ $BitLockerRecoveryKey = '<not set>' } #Print out our findings Write-Host 'TPM Owner Recovery Key:' $TPMRecoveryKey Write-Host 'BitLocker Recovery Password:' $BitLockerRecoveryKey # Export TPM Owner Password File if($computerObject.'msTPM-TpmInformationForComputer' -ne $null){ $exportToFile = Read-Host 'Would you like to export the recovery key [y or n]' if($exportToFile -ne 'y'){ Exit } $TPMOwnerFile = '<?xml version="1.0" encoding="UTF-8"?><ownerAuth>' + $TPMRecoveryKey + '</ownerAuth>' $TPMOwnerFile | Out-File "TPMOwnerPasswordFile.tpm" }else{ Cmd /c pause }