Using TPM Backups with Powershell

Backing up TPM information may not be a complete necessity for all, but certainly has its advantages. Understanding why we do this and what we can do with it.

Why not MBAM? : I’ll be brief about this…by the time MBAM came around, we had already built out all that it had to offer. We had key backup and retention and a web portal to access Recovery information for our support staff to use (Along with auditing of who accessed what). Anything else was just extra “stuff”. We didn’t need it. If you have MBAM and are happy with it: Great!

AD Schema Extensions/Updates

I won’t go into too much detail here other than pointing out a few things:

Group Policy Settings

In order to have your TPM information backed up to Active Directory there’s one Policy to set. As read in the description, this policy will require ADDS connectivity to backup this information whenever a TPM owner password is set or changed. With this setting enabled we’ll see TPM information backup to Active Directory.

This is the policy that is required for AD backup to work:

Location: Computer Configuration> Administrative Templates> System> Trusted Platform Module Services

Policy: Turn on TPM Backup to Active Directory Domain Services

Setting: Enabled

Some other notable settings that correspond with this and may benefit you (depending on your BitLocker configuration). You can set the TPM Lockout duration and Lockout threshold. For more information on those policies: http://technet.microsoft.com/en-us/library/jj679889.aspx.

What the Backup Looks Like

Depending on if you’re running Windows 7 or Windows 8/8.1 the TPM information will backup differently.

Windows 7

With Windows 7, the TPM information is added to the “msTPM-OwnerInformation” attribute of the AD Computer object.

Windows 8+

With Windows 8+ things get a bit more complex. The 2012 Schema update mentioned above adds a new container at the root of your domain “TPM Device”. Inside of this is (you guessed it!) TPM objects along with their TPM Recovery passwords. The AD Computer Object is linked to the TPM object through the Computer’s Attribute “msTPM-TpmInformationForComputer”.

For example, my Computer object will have the msTPM-TpmInformationForComputer attribute who’s value will reference the TPM object in the “TPM Devices” container. The TPM Object contains the recovery information in the “msTPM-OwnerInformation” attribute. This will be much clearer further on.

Back Together

In both instances the TPM Recovery information is a 20-byte binary value encoded to a 28-byte base64 null-terminated string. Basically, it’ll be a string of gibberish/rubbish/balderdash that you can’t read, but will find is very useful!

Using TPM Recovery Information

Organizations who utilize a TPM + PIN configuration for BitLocker will benefit the greatest from this information. Having a PIN for users means one more password for a user, which means one more password for someone to forget, which means they’ll mash and mash the wrong password convincing themselves they typed it correctly. In doing this, the TPM will identify this as an intrusion, and will eventually go into a lockout status. We are then forced to boot with our recovery password (hopefully backed up to Active Directory) and can at least get into the system. Just because we used BitLocker Recovery, doesn’t mean that our TPM lockout issue was resolved.

Now let’s say I reboot my system before the TPM lockout has reset itself. Recovery again but now what? There’s not exactly a countdown saying “your TPM will reset in XX minutes” otherwise you’d be telling whoever’s trying to break into your system “Wait 5 minutes to try again”. To reset the TPM lockout, we have an option to “Reset TPM Lockout” which requires the TPM Owner information that we’ve backed up to Active Directory. We pass in the TPM password to the system and the lockout state is reset and we can use our PIN like normal again.
Script it, Automate it, Any Way You Want It

So let’s put this information and scenario to good use. The above link for “Preparing Active Directory” includes some sample vbscripts that can help pull down this information. However, we have Powershell and we want to exercise its greatness.

We can grab the Information from Active Directory (Powershell or vbscript) and then pass that recovery into the ResetTPMLockout Method of the Win32_TPM class. With Powershell we’ll need the Active Directory modules (included with the RSAT tools).

Powershell:

Import-Module ActiveDirectory

# you can also setup the computer name as an argument to do this remotely 
$computerName = $env:COMPUTERNAME
$tpmPassword = ""

# Gets the AD Object of the computer
# We'll grab the Property for Windows 7 and Windows 8+
$computerAdObject = Get-ADComputer -Filter 'Name -eq $computerName' -Properties Name, OperatingSystem, 'msTPM-TpmInformationForComputer', 'msTPM-OwnerInformation'

# Evaluating the OS
if (($computerAdObject.OperatingSystem) -like "Windows 7" )
{
     $tpmPassword = $computerAdObject.'msTPM-OwnerInformation'
}

if (($computerAdObject.OperatingSystem) -like "Windows 8")
{
     # Gets the TPM object
     $tpmAdObject = Get-ADObject -Filter 'distinguishedName -eq $($computerAdObject.'msTPM-TpmInformationForComputer')' -Properties CN, Name, msTPM-OwnerInformation -Credential $authCreds

     # Stores the TPM password
     $tpmPassword = $tpmAdObject.'msTPM-OwnerInformation'
}

# Reset TPM Lockout
if (-Not ($tpmPassword = ""))
{
     # Get local TPM object
     $tpmObject = Get-WmiObject Win32_TPM -Namespace root/cimv2/security/MicrosoftTpm -ComputerName $computerName

     $return = $tpmObject.ResetAuthLockout($tpmPassword)
}

One Step Further…

Let’s say we want to change the TPM Owners password. We’ll still need to do the above to get the backed up password from Active Directory. Once we have that we can use the Win32_TPM WMI class to do this. However, we can’t just pass a string of text, we need to convert to that “gibberish” format we saw above. Just a couple quick lines in Powershell and we’ve successfully changed the TPM Owner Password:

Powershell:

$newEncodedPassword = ($tpmObject.ConvertToOwnerAuth("NewPassword")).OwnerAuth
$tpmObject.ChangeOwnerAuth($tpmPassword,$newEncodedPassword)

Hopefully this gives you a better understanding of how to use the TPM Passwords that you’ve been backing up to Active Directory.

Thanks for reading!

Advertisements

4 thoughts on “Using TPM Backups with Powershell

  1. $computerAdObject = Get-ADComputer -Filter ‘Name -eq $computerName’ -Properties Name, OperatingSystem, ‘msTPM-TpmInformationForComputer’, ‘msTPMOwnerInformation’

    Should be

    $computerAdObject = Get-ADComputer -Filter ‘Name -eq $computerName’ -Properties Name, OperatingSystem, ‘msTPM-TpmInformationForComputer’, ‘msTPM-OwnerInformation’

    Added hyphen in “mstpm-ownerinformation”

  2. I realise this is an old post, but this script is perfect for what I’m trying to do. As I have lockout problems across my estate, I’d like to roll it out to reset TPMs across the board.

    However, I’m receiving:
    Get-ADObject : A positional parameter cannot be found that accepts argument ‘msTPM-TpmInformationForComputer)’.
    on line 13.

    Any help at all?

    • The ‘msTPM-TpmInformationForComputer’ should be single quoted and included in the list for the “properties” parameter of get-adobject. Make sure that you’re using the properties parameter correctly and that each property is separated by a comma.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s