blog.powershell.no

On Windows PowerShell and other admin-related topics

Export BitLocker-information using Windows PowerShell

 

Active Directory can be used to store both Windows BitLocker Drive Encryption recovery information and Trusted Platform Module (TPM) owner information.

On the Microsoft Windows Support site, the following information are provided:

Storage of BitLocker Recovery Information in Active Directory

BitLocker recovery information is stored in a child object of a computer object in Active Directory. That is, the computer object is the container for the BitLocker recovery object.

More than one BitLocker recovery object can exist for each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.

Each BitLocker recovery object on a BitLocker-enabled volume has a unique name and contains a globally unique identifier (GUID) for the recovery password.

The name of the BitLocker recovery object is limited to 64 characters because of Active Directory constraints. This name incorporates the recovery password GUID as well as date and time information. The form is:

<Object Creation Date and Time><Recovery Password GUID>

For example:

2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}

The Active Directory common name (cn) for the BitLocker recovery object is ms-FVE-RecoveryInformation and includes attributes such as ms-FVE-RecoveryPassword and ms-FVE-RecoveryGuid.

Storage of TPM Recovery Information in Active Directory

There is only one TPM owner password per computer; therefore the hash of the TPM owner password is stored as an attribute of the computer object in Active Directory. It is stored in Unicode. The attribute has the common name (cn) of ms-TPM-OwnerInformation.

Active Directory Requirements

In order to store BitLocker and TPM information in Active Directory, all domain controllers must run Windows Server 2003 with Service Pack 1 or later. Schema extensions will also need to be installed on servers running Windows Server 2003.

 

To see if a computer has stored any BitLocker Recovery information in Active Directory, you must install the BitLocker Recovery Password Viewer and check the BitLocker Recovery tab on the computer object to see if a Recovery Password are present:

image

Doing this for every computer manually isn`t an option in a domain environment. To ease this task I`ve written a PowerShell-script, available here, that will generate a CSV-file containing all Windows Vista and Windows 7 computer objects in the domain. The CSV-file will contain the following information:

  • Computername
  • OperatingSystem
  • HasBitlockerRecoveryKey
  • HasTPM-OwnerInformation

I haven`t found a way to retrieve ms-FVE-RecoveryInformation objects or msTPM-OwnerInformation information on computer objects using Microsoft`s PowerShell-module for Active Directory. Because of that I`ve leveraged Quest`s free PowerShell Commands for Active Directory.

To retrieve correct information, you must run the script with a user that has been granted the following permission: Read-permission on msFVE-RecoveryInformation objects and Read-permissions on msTPM-OwnerInformation on computer-objects (e.g. Domain Admins).

When the CSV-file is generated, you can use the “Text to columns”-feature in Microsoft Office Excel and save the document as an Excel spreadsheet. Then you can apply filters to sort on e.g. HasBitlockerRecoveryKey or HasTPM-OwnerInformation.

If you`re using the BitLocker feature on other operatingsystems than Windows Vista or Windows 7, i.e. Windows Server 2008 or Windows Server 2008 R2, you may customize the filtering in the computers-variable.

 

BitLocker resources on Microsoft TechNet

BitLocker Drive Encryption

BitLocker Drive Encryption Overview

Backing Up BitLocker and TPM Recovery Information to Active Directory

Advertisements

October 24, 2010 - Posted by | BitLocker, Scripting, Windows 7, Windows PowerShell, Windows Vista |

13 Comments »

  1. Thanks for the script, was just looking for something like this!

    I have a question that is not directly about this script, but more about tpm ownerinformation.

    We have Group Policies in place that requires backup of TPM information to AD before TPM can be turned on. When I run this script I still find some computers where the result is FALSE for HasTPM-Ownerinformation but the volume is encrypted and the recovery keys are in AD, have doubled checked that. So I’m not really sure how this all comes together? Any ideas?

    Comment by Johan Furu | November 9, 2010 | Reply

  2. I am in desperate need of a way to unlock a bitlocked external drive.
    Microsoft is no help and DataDoctors could not get it either.

    I reset my toshiba A500 running windows 7 ultimate to factory settings to clear up a driver issue. Before the rebuild I removed the standard password from the drive, anticipating problems. Then after the restart the drive is asking for the recovery code or usb key, do do not have either.
    Please help
    Lee

    Comment by lee | November 17, 2010 | Reply

  3. Johan: Maybe TPM Ownership information aren`t enforced to be stored in AD, and hence some computers might have initialized the TPM without backup to AD. Read up on this in the “Configure Group Policy to enable backup of BitLocker and TPM recovery information in Active Directory”-section here: http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

    Comment by Jan Egil Ring | November 21, 2010 | Reply

  4. Lee: If the computer is not a member of an Active Directory domain where the recovery key are backed up to, or you do not have the correct recovery key, I`m not aware of any methods to resolve this.
    My best bet would be to call Microsoft Support and ask for assistance.

    Comment by Jan Egil Ring | November 21, 2010 | Reply

  5. Great script. Would it be possible to expend it so that the TPM and recovery passwords would also be exported?

    Comment by CypherBit | January 18, 2011 | Reply

    • Yes:

      #Custom variables
      $CsvFilePath = “C:\temp\BitLockerComputerReport.csv”

      #Create array to hold computer information
      $export = @()

      #Export computers not Bitlocker-enabled to a CSV-file
      $BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq “msFVE-RecoveryInformation”} | Foreach-Object {

      #Create custom object for each computer
      $computerobj = New-Object -TypeName psobject

      #Add name and operatingsystem to custom object
      $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
      $computerobj | Add-Member -MemberType NoteProperty -Name “msFVE-RecoveryPassword” -Value $_.”msFVE-RecoveryPassword”

      $export += $computerobj
      }

      #Export the array with computerinformation to the user-specified path
      $export | Export-Csv -Path $CsvFilePath -NoTypeInformation

      Comment by Jan Egil Ring | January 20, 2011 | Reply

      • This works great, but I only get the Recovery Password, not the TPM owner (msTPM-OwnerInformation) as well.

        Would you be so kind to add this as well (my limited PS skills won’t do).

        Comment by CypherBit | January 21, 2011

      • #Custom variables
        $CsvFilePath = “C:\temp\BitLockerComputerReport.csv”

        #Create array to hold computer information
        $export = @()

        #Export computers not Bitlocker-enabled to a CSV-file
        $BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties cn,Name,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq “msFVE-RecoveryInformation”} | Foreach-Object {

        #Get PasswordID
        $_.cn -match “(?<={).*(?=})"

        #Create custom object for each computer
        $computerobj = New-Object -TypeName psobject

        #Add information to custom object
        $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
        $computerobj | Add-Member -MemberType NoteProperty -Name PasswordID -Value $matches[0]
        $computerobj | Add-Member -MemberType NoteProperty -Name "msFVE-RecoveryPassword" -Value $_."msFVE-RecoveryPassword"
        $computerobj | Add-Member -MemberType NoteProperty -Name "msTPM-OwnerInformation" -Value (Get-QADComputer -IncludedProperties "msTPM-OwnerInformation" -Name (Split-Path -Path $_.ParentContainer -Leaf))."msTPM-OwnerInformation"

        $export += $computerobj
        }

        #Export the array with computerinformation to the user-specified path
        $export | Export-Csv -Path $CsvFilePath -NoTypeInformation

        Comment by Jan Egil Ring | January 23, 2011

  6. Excellent! Thank you so much.

    Comment by CypherBit | February 4, 2011 | Reply

  7. not the neatest but here is how you do it natively.

    get-adcomputer -Searchbase “ou=computers,dc=mydomain,dc=test,dc=com” -filter * |% {

    write-host $_.name

    get-ADObject -ldapfilter “(msFVE-Recoverypassword=*)” -Searchbase $_.distinguishedname -properties canonicalname,msfve-recoverypassword | select canonicalname,msfve-recoverypassword |fl }

    Comment by Dan Potter | April 12, 2011 | Reply

  8. Hi Jan,

    Is there a way we can run this against a specific OU and SubOU, instead of against the whole Domain?

    Comment by Richard | November 3, 2011 | Reply

    • Hi,

      Just add -SearchRoot domain.local/OU to the Get-QADObject and Get-QADUser cmdlets in the script.

      Comment by Jan Egil Ring | November 3, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: