Get the BitLocker TPM Platform Validation Profile in Windows 7 (and Windows 8.1 and 10)
Scenario: You want to check which TPM Platform Validation Profile is in effect on a BitLocker enabled volume on a Windows 7 computer.
In Windows 8 and newer Windows operating systems, you can get this information by running this command from an elevated CMD prompt or PowerShell console:
1 |
manage-bde -protectors -get c: |
However, this doesn’t work in Windows 7 since you only get information about the key protector IDs and recovery password.
Instead, run this PowerShell script (also works in Windows 8 and later):
1 2 3 4 5 6 7 8 9 10 11 |
$volume = Get-WMIObject -Namespace "root/CIMV2/Security/MicrosoftVolumeEncryption" -Class 'Win32_EncryptableVolume' -Filter "DriveLetter='C:'" $protectors = $volume.GetKeyProtectors() $protectorIDs = $protectors.VolumeKeyProtectorID foreach ($protectorID in $protectorIDs) { $protectortype = $volume.getkeyprotectortype($protectorID).keyprotectortype if ($protectortype -eq 1) { $TPMplatformValidationProfile = $volume.GetKeyProtectorPlatformValidationProfile($protectorID).PlatformValidationProfile Write-Host "TPM protector ID for volume C:\ $protectorID" Write-Host "TPM Platform Validation Profile: $TPMplatformValidationProfile" } } |
This will give you the TPM Platform Validation Profile for the BitLocker volume as shown below.
You can also modify the script to check for other TPM protectortypes e.g. “TPMandPin”. Check this link for the different key protector type values: https://msdn.microsoft.com/en-us/library/windows/desktop/aa376442(v=vs.85).aspx
1 Comment
Join the discussion and tell us your opinion.
[…] To check which TPM Platform Validation Profile is active for a BitLocker volume, check out my other blog post. […]