BitLocker and TPM Recovery Information RRS feed

  • Question

  • Hey Scripting guys. Here's my dilemma.  We are storing BitLocker and TPM recovery information in AD.  We don't use MBAM because we don't have the necessary MDOP licenses.  Anyway, with Windows 7 boxes the information is all stores in the machine object attributes e.g. msFVE-RecoveryPassword, msFVE-RecoveryInformation and msTPM-OwnerInformaton.  This information I can obtain and export to a .csv file.  Where I'm stuck is pulling the msTMP-OwnerInformation for Windows 8 & 8.1 systems.  This is because in the computer object attributes the msTPM-OwnerInformation attribute is not used to Win8/8.1.  Instead the attribute msTPM-TpmInformationForComputer is used.  But the information there is not really the TPM-OwnerInformation It's merely a pointer to an object in the TPM Devices container under the root of the domain.  Inside that object is the actual msTPM-OwnerInformation I'm looking for.

    So, how can I script-o-matically pull the needed information for both Windows 7 and Windows 8/8.1 systems and export it to a .csv for backup purposed.  The information I'm looking to export is: Hostname, CN value (shows the DTS of the BL Recovery password), BitLocker PasswordID, msFVE-RecoveryPassword, msTPM-OwnerInformation, msTPM-InformationForComputer (Win8) and finally the corresponding Win8 msTPM-TpmOwnerInformation.

    Any assistance will be hugely helpful

    Thanks in advance

    • Moved by Bill_Stewart Friday, July 4, 2014 1:50 AM Abandoned
    Tuesday, February 25, 2014 9:51 PM

All replies

  • I believe you will need to ask this in the Directory Services forum.  The info is encrypted so I do not think it can be directly extracted.  The idea is to keep all encryption "secrets" a secret.  They should only be available when we need to do a recovery and then only on presentation of credentials.  Each "owner" should have the only set of credentials.


    Wednesday, February 26, 2014 3:51 PM
  • The BitLocker and TPM recovery information is available for extraction.  There are several PowerShell scripts that accomplish this task for Windows 7 machines.  The issue I'm having exporting the information for Windows 8/8.1 machines because the msTPM-TpmOwnerInformation is now stored in a separate location "TPM Devices" container.  I just need to figure out how to Script-O-Matically link the "msTPM-TpmInformatioForComputer" attribute string to the corresponding object in the "TPM Devices" container and then export the TPM Owner Hash that is stored in the "msTPM-OwnerInformation" of that object.


    Wednesday, February 26, 2014 4:37 PM
  • I repeat.  You need to post in Directory Services.  The reason for the change was to further secure the information with Windows 8.  I do not see any documentation on how to decode the blob.


    Wednesday, February 26, 2014 4:46 PM