GetTPMRecoveryInfo

1.0

GetTPMRecoveryInfo.psm1

                                function Get-TPMRecoveryInfo {

<#

.SYNOPSIS

    Automates the process on gathering BitLocker recovery password and TPM owner password.

.DESCRIPTION

    This script will lookup multiple attribute in Active Directory and display the correlating

    values that hold sensitive BitLocker information.  Additionally, the TPM Owner Password

    can be exported to a .tpm file, which can be used to make changes to the correlating machine.

.PARAMETER ComputerName

    Specifiy the computername to query Active Directory for the recovery password

.PARAMETER OutputPath

    Specify a path to output an XML file for each computer. This file can be used to reset TPM data in the OS.

.PARAMETER PromptforCredentails

    By default Get-TPMRecoveryInfo will use the current users credentials to access Active Directory. Using this switch will force Get-TPMRecoveryInfo to prompt for another credential which has the rights to read TPMOwnerInformation from Active Directory.

.NOTES

    File Name      : Get-TPMandBitlockerInfo.ps1

    Author         : Jack Stromberg (jackstromberg.com)

    Prerequisite   : PowerShell V2 over Vista and upper

    Version History: 2/5/2015 (original release)

    Version History: 8/2/2015 Updated to PSGallery and converted to module

.LINK

    Script posted over at:

    http://jackstromberg.com/2015/02/exporting-tpm-owner-key-and-bitlocker-recovery-password-from-active-directory-via-powershell/

#>

    [CmdLetBinding()]

    Param([string]$ComputerName,[switch]$PromptforCredentials,$OutputPath)

    $ErrorActionPreference = 'Stop'

    If ($PromptforCredentials) {

        Write-Verbose "~Enter in the correct credentials to access the BitLocker and TPM Owner attributes~"

        $UserName = Read-Host "Enter User Name" 

        $Password = Read-Host -AsSecureString "Enter Your Password" 

        $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName , $Password 

    }

    # Check if the Computer Object exists in AD

    If ($Credential) {

        $computerObject = Get-ADComputer -Filter {cn -eq $ComputerName} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer -Credential $credential

    } Else {

        $computerObject = Get-ADComputer -Filter {cn -eq $ComputerName} -Property msTPM-OwnerInformation, msTPM-TpmInformationForComputer

    }

    if($computerObject -eq $null){

        Write-Error "Computer object not found."

    }

    # Windows Vista and 7 stores the TPM owner password in the msTPM-OwnerInformation attribute, check that first.

    # If the key hasn't been stored there, check the msTPM-TpmInformationForComputer object to see if it was backed up on a Win 8 or greater machine

    if($computerObject.'msTPM-OwnerInformation' -eq $null){

        #Check if the computer object has had the TPM info backed up to AD

        if($computerObject.'msTPM-TpmInformationForComputer' -ne $null){

            # Grab the TPM Owner Password from the msTPM-InformationObject

            If ($Credential) {

                $TPMObject = Get-ADObject -Identity $computerObject.'msTPM-TpmInformationForComputer' -Properties msTPM-OwnerInformation  -Credential $credential

            } Else {

                $TPMObject = Get-ADObject -Identity $computerObject.'msTPM-TpmInformationForComputer' -Properties msTPM-OwnerInformation

            }

            $TPMRecoveryKey = $TPMObject.'msTPM-OwnerInformation'

        }else{

            $TPMRecoveryKey = '<not set>'

            Write-Warning "<not set> could indicate inadequate credentials"

        }

    }else{

        # Windows 7 and older OS TPM Owner Password

        $TPMRecoveryKey = $computerObject.'msTPM-OwnerInformation'

    }

    # Check if the computer object has had a BitLocker Recovery Password backed up to AD

    If ($Credential) {

        $BitLockerObject = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computerObject.DistinguishedName -Properties 'msFVE-RecoveryPassword' -Credential $credential | Select-Object -Last 1

    } Else {

        $BitLockerObject = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computerObject.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object -Last 1

    }

    if($BitLockerObject.'msFVE-RecoveryPassword'){

        $BitLockerRecoveryKey = $BitLockerObject.'msFVE-RecoveryPassword'

    }else{

        $BitLockerRecoveryKey = '<not set>'

        Write-Warning "<not set> could indicate inadequate credentials"

    }

    #Print out our findings

    [PSCustomObject]@{

        'ComputerName' = $ComputerName

        'TPMRecoveryKey' = $TPMRecoveryKey

        'BitLockerRecoveryPass' = $BitLockerRecoveryKey

    }

    # Export TPM Owner Password File

    if($computerObject.'msTPM-TpmInformationForComputer' -ne $null -and $OutputPath){

        $outputfile = Join-Path -Path $OutputPath -ChildPath "$($ComputerName.ToString()).xml"

        #Test we can write an output file

        Try { 

            [io.file]::OpenWrite().close()

            $FileAccess = $True

        } Catch { 

            Write-Warning "Unable to write to output file $outputfile" 

        }

        if($FileAccess){

            $TPMOwnerFile = '<?xml version="1.0" encoding="UTF-8"?><ownerAuth>' + $TPMRecoveryKey + '</ownerAuth>'

            $TPMOwnerFile | Out-File "TPMOwnerPasswordFile.tpm"    

        }

    }

}