Export BitLocker-information using Windows PowerShell

 

Active Directory can be used to store both Windows BitLocker Drive Encryption recovery information and Trusted Platform Module (TPM) owner information.

On the Microsoft Windows Support site, the following information are provided:

Storage of BitLocker Recovery Information in Active Directory

BitLocker recovery information is stored in a child object of a computer object in Active Directory. That is, the computer object is the container for the BitLocker recovery object.

More than one BitLocker recovery object can exist for each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.

Each BitLocker recovery object on a BitLocker-enabled volume has a unique name and contains a globally unique identifier (GUID) for the recovery password.

The name of the BitLocker recovery object is limited to 64 characters because of Active Directory constraints. This name incorporates the recovery password GUID as well as date and time information. The form is:

<Object Creation Date and Time><Recovery Password GUID>

For example:

2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}

The Active Directory common name (cn) for the BitLocker recovery object is ms-FVE-RecoveryInformation and includes attributes such as ms-FVE-RecoveryPassword and ms-FVE-RecoveryGuid.

Storage of TPM Recovery Information in Active Directory

There is only one TPM owner password per computer; therefore the hash of the TPM owner password is stored as an attribute of the computer object in Active Directory. It is stored in Unicode. The attribute has the common name (cn) of ms-TPM-OwnerInformation.

Active Directory Requirements

In order to store BitLocker and TPM information in Active Directory, all domain controllers must run Windows Server 2003 with Service Pack 1 or later. Schema extensions will also need to be installed on servers running Windows Server 2003.

 

To see if a computer has stored any BitLocker Recovery information in Active Directory, you must install the BitLocker Recovery Password Viewer and check the BitLocker Recovery tab on the computer object to see if a Recovery Password are present:

image

Doing this for every computer manually isnt an option in a domain environment. To ease this task Ive written a PowerShell-script, available here, that will generate a CSV-file containing all Windows Vista and Windows 7 computer objects in the domain. The CSV-file will contain the following information:

  • Computername
  • OperatingSystem
  • HasBitlockerRecoveryKey
  • HasTPM-OwnerInformation

I havent found a way to retrieve ms-FVE-RecoveryInformation objects or msTPM-OwnerInformation information on computer objects using Microsofts PowerShell-module for Active Directory. Because of that Ive leveraged Quests free PowerShell Commands for Active Directory.

To retrieve correct information, you must run the script with a user that has been granted the following permission: Read-permission on msFVE-RecoveryInformation objects and Read-permissions on msTPM-OwnerInformation on computer-objects (e.g. Domain Admins).

When the CSV-file is generated, you can use the “Text to columns”-feature in Microsoft Office Excel and save the document as an Excel spreadsheet. Then you can apply filters to sort on e.g. HasBitlockerRecoveryKey or HasTPM-OwnerInformation.

If you`re using the BitLocker feature on other operatingsystems than Windows Vista or Windows 7, i.e. Windows Server 2008 or Windows Server 2008 R2, you may customize the filtering in the computers-variable.

 

BitLocker resources on Microsoft TechNet

BitLocker Drive Encryption

BitLocker Drive Encryption Overview

Backing Up BitLocker and TPM Recovery Information to Active Directory

13 thoughts on “Export BitLocker-information using Windows PowerShell

  1. Thanks for the script, was just looking for something like this!

    I have a question that is not directly about this script, but more about tpm ownerinformation.

    We have Group Policies in place that requires backup of TPM information to AD before TPM can be turned on. When I run this script I still find some computers where the result is FALSE for HasTPM-Ownerinformation but the volume is encrypted and the recovery keys are in AD, have doubled checked that. So I’m not really sure how this all comes together? Any ideas?

  2. I am in desperate need of a way to unlock a bitlocked external drive.
    Microsoft is no help and DataDoctors could not get it either.

    I reset my toshiba A500 running windows 7 ultimate to factory settings to clear up a driver issue. Before the rebuild I removed the standard password from the drive, anticipating problems. Then after the restart the drive is asking for the recovery code or usb key, do do not have either.
    Please help
    Lee

  3. Lee: If the computer is not a member of an Active Directory domain where the recovery key are backed up to, or you do not have the correct recovery key, I`m not aware of any methods to resolve this.
    My best bet would be to call Microsoft Support and ask for assistance.

    • Yes:

      #Custom variables
      $CsvFilePath = “C:tempBitLockerComputerReport.csv”

      #Create array to hold computer information
      $export = @()

      #Export computers not Bitlocker-enabled to a CSV-file
      $BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq “msFVE-RecoveryInformation”} | Foreach-Object {

      #Create custom object for each computer
      $computerobj = New-Object -TypeName psobject

      #Add name and operatingsystem to custom object
      $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
      $computerobj | Add-Member -MemberType NoteProperty -Name “msFVE-RecoveryPassword” -Value $_.”msFVE-RecoveryPassword”

      $export += $computerobj
      }

      #Export the array with computerinformation to the user-specified path
      $export | Export-Csv -Path $CsvFilePath -NoTypeInformation

      • This works great, but I only get the Recovery Password, not the TPM owner (msTPM-OwnerInformation) as well.

        Would you be so kind to add this as well (my limited PS skills won’t do).

      • #Custom variables
        $CsvFilePath = “C:tempBitLockerComputerReport.csv”

        #Create array to hold computer information
        $export = @()

        #Export computers not Bitlocker-enabled to a CSV-file
        $BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties cn,Name,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq “msFVE-RecoveryInformation”} | Foreach-Object {

        #Get PasswordID
        $_.cn -match “(?<={).*(?=})"

        #Create custom object for each computer
        $computerobj = New-Object -TypeName psobject

        #Add information to custom object
        $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
        $computerobj | Add-Member -MemberType NoteProperty -Name PasswordID -Value $matches[0]
        $computerobj | Add-Member -MemberType NoteProperty -Name "msFVE-RecoveryPassword" -Value $_."msFVE-RecoveryPassword"
        $computerobj | Add-Member -MemberType NoteProperty -Name "msTPM-OwnerInformation" -Value (Get-QADComputer -IncludedProperties "msTPM-OwnerInformation" -Name (Split-Path -Path $_.ParentContainer -Leaf))."msTPM-OwnerInformation"

        $export += $computerobj
        }

        #Export the array with computerinformation to the user-specified path
        $export | Export-Csv -Path $CsvFilePath -NoTypeInformation

  4. not the neatest but here is how you do it natively.

    get-adcomputer -Searchbase “ou=computers,dc=mydomain,dc=test,dc=com” -filter * |% {

    write-host $_.name

    get-ADObject -ldapfilter “(msFVE-Recoverypassword=*)” -Searchbase $_.distinguishedname -properties canonicalname,msfve-recoverypassword | select canonicalname,msfve-recoverypassword |fl }