BitLocker Recovery Guide (2023)

Applies to:

• windows 10
• windows 11
• Windows Server 2016 e superior

This article describes how to recover AD DS BitLocker keys.

Organizations can use BitLocker recovery information stored in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended that you create a recovery model for BitLocker when planning your BitLocker implementation.

This article assumes that you understand how to configure AD DS to automatically back up BitLocker recovery information and what types of recovery information are saved in AD DS.

This article does not detail how to configure AD DS to store BitLocker recovery information.

What is BitLocker Recovery?

BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive cannot be unlocked normally. In a recovery scenario, the following options are available to restore drive access:

• User can provide recovery password.If your organization allows users to print or store recovery passwords, users can enter the 48-digit recovery password they've printed or stored on a USB drive or with an online Microsoft account. Saving a recovery password with a Microsoft online account is only allowed when using BitLocker on a PC that is not a member of a domain.

• Data recovery agents can use your credentials to unlock the drive.If the drive is an operating system drive, it must be mounted as a data drive on another computer for the data recovery agent to unlock it.

• A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.It is recommended that recovery passwords be stored in AD DS so that IT professionals can obtain recovery passwords for units in an organization if needed. This method makes it mandatory to enable this recovery method in BitLocker group policy settingsChoose how BitLocker-protected operating system drives can be recoveredsituated incomputer configuration>Administrative Templates>Windows Components>bitlocker drive encryption>operating system unitsin the Local Group Policy Editor. For more information, seeBitLocker Group Policy Settings.

What Causes BitLocker Recovery?

The following list provides examples of specific events that will cause BitLocker to enter recovery mode when trying to start the operating system drive:

• On computers that use BitLocker Drive Encryption, or on devices such as tablets or phones that useBitLocker Device Encryptiononly, when an attack is detected, the device will immediately reboot and enter BitLocker recovery mode. To take advantage of this feature, administrators can configure theInteractive logon: machine account lockout limitGroup Policy settings located atcomputer configuration>Windows settings>security settings>local politics>security optionsin the Local Group Policy Editor. Or they can use theMaxFailedPasswordAttemptsPolitics ofActiveSync Exchange(also configurable viamicrosoft intune), to limit the number of failed password attempts before the device enters Device Lock.

• On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not initiate BitLocker recovery in this case. TPM 2.0 does not consider a firmware change in boot device order to be a security threat because the operating system's boot loader is not compromised.

• Place the CD or DVD drive before the hard drive in the BIOS boot order and insert or remove a CD or DVD.

• It is not possible to boot from a network drive before booting from the hard drive.

• Dock or undock a laptop. In some cases (depending on computer manufacturer and BIOS), the laptop's docking condition is part of the system measurement and must be consistent to validate system health and unlock BitLocker. Therefore, if a laptop is connected to the docking station when BitLocker is enabled, it will also need to connect to the docking station when it is unlocked. On the other hand, if a laptop is not connected to the dock when BitLocker is turned on, it may need to be disconnected from the dock when it is unlocked.

• Changes to the NTFS partition table on the disk, including creating, deleting, or resizing a primary partition.

• Entering the personal identification number (PIN) incorrectly too many times to activate the TPM's anti-hammer logic. Anti-hammer logic are software or hardware methods that increase the difficulty and cost of a brute-force attack on a PIN by not accepting PIN entries until a certain amount of time has passed.

• Disable USB device read support in the BIOS or UEFI firmware preboot environment if you use USB-based keys instead of a TPM.

• Turn off, disable, disable or clear the TPM.

• Updating critical initial boot components, such as a BIOS or UEFI firmware update, causing related boot measurements to change.

• Forget PIN when PIN authentication is enabled.

• Option ROM Firmware Update.

• TPM firmware update.

• Add or remove hardware; for example, inserting a new card into the computer, including some wireless PCMIA cards.

• Removing, inserting, or completely depleting a smart battery in a laptop.

• Changes to the master boot record on disk.

• Changes to the on-disk boot manager.

• Hide the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent TPM enumeration in the operating system. When implemented, this option can hide the TPM from the operating system. When the TPM is hidden, the BIOS and UEFI Secure Boot are disabled and the TPM does not respond to commands from any software.

• Using a different keyboard that does not type the PIN correctly or whose keymap does not match the keymap assumed by the preboot environment. This issue can prevent you from entering advanced PINs.

• Modification of Platform Configuration Records (PCR) used by the TPM validation profile. For example, includingRCP[1]would result in BitLocker measuring most BIOS setting changes, causing BitLocker to enter recovery mode even when non-boot-critical BIOS settings are changed.

  Use

  Some computers have BIOS settings that ignore measurements for certain PCRs, such asRCP[2]. If you change this setting in the BIOS, BitLocker will enter recovery mode because the PCR measurement will be different.

• Move the BitLocker-protected drive to a new computer.

• Upgrade the motherboard to a new one with a new TPM.

• Lost USB flash drive containing startup key when startup key authentication was enabled.

• TPM self-test failed.

• Having a BIOS, UEFI firmware, or optional ROM component that does not conform to relevant Trusted Computing Group standards for a client computer. For example, an unsupported implementation may log volatile data (such as time) in TPM metrics, which results in different metrics on each boot and causes BitLocker to start in recovery mode.

  (Video) Forgot bit locker pin, forgot bit locker recovery key, how to Fix, 6 Easy Ways

• Change the TPM storage root key usage right to a non-zero value.

  Use

  The BitLocker TPM initialization process sets the usage right value to zero, so another user or process must have explicitly changed this value.

• Disable code integrity checking or enable test signing in Windows Boot Manager (Bootmgr).

• Pressing the F8 or F10 key during the boot process.

• Add or remove add-on cards (such as video or network cards) or update firmware on add-on cards.

• Using a BIOS hotkey during the boot process to change the boot order to something other than the hard drive.

For planned scenarios, such as known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Since suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection once the scheduled task completes. Using suspend and resume also reseals the encryption key without having to enter the recovery key.

If software maintenance requires a computer restart and two-factor authentication is used, the BitLocker Network Unlock feature can be enabled to provide the secondary authentication factor when computers do not have a local user to provide the method. additional authentication. .

Recovery was described in the context of unplanned or unwanted behavior. However, recovery can also be triggered as an intended production scenario, for example to manage access control. When desktop or laptop computers are redeployed to other departments or employees within the company, BitLocker recovery may be forced before the computer is handed over to a new user.

recovery test

Before creating a complete BitLocker recovery process, it's a good idea to test how the recovery process works for end users (people who call the helpdesk to get the recovery password) and administrators (people who help the end user get the recovery password). Him-forced recoverycommand ofmanage-bde.exeit's an easy way to walk through the recovery process before users encounter a recovery situation.

To force recover a local computer:

1. Select theStartbutton and typecmd

2. Select right oncmd.exeoSystem symboland then selectExecute as administrator.

3. At the command prompt, type the following command:

   administering-bde.exe -forcerecovery <BitLockerVolume>

To force recover a remote computer:

1. Select theStartbutton and typecmd

2. Select right oncmd.exeoSystem symboland then selectExecute as administrator.

3. At the command prompt, type the following command:

   manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>

   Use

   recovery driven by-forced recoverypersists across multiple reboots until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the-forced recoveryThis option is not recommended because BitLocker will need to be manually unlocked and disabled in the WinRE environment before the operating system can boot again. For more information, seeBitLocker Troubleshooting: Continuous Reboot Loop with BitLocker Recovery on a Slate Device.

Planning the recovery process.

When planning the BitLocker recovery process, first review your organization's current best practices for recovering sensitive information. For example: How does the company deal with lost Windows passwords? How does the organization perform smart card PIN reset? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.

Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on large numbers of computers and removable drives running Windows 11, Windows 10, Windows 8 or Windows 7 and Windows To Go operating systems should consider using Microsoft BitLocker Administration and Monitoring (MBAM ) Tool version 2.0, included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker deployments easier to deploy and manage and allows administrators to provision and monitor encryption for the operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery management easier. MBAM can be used as part of a Microsoft System Center deployment or as a standalone solution. For more information, seeMicrosoft BitLocker Administration and Monitoring.

Once a BitLocker recovery is initiated, users can use a recovery password to unlock access to encrypted data. Consider automatic recovery and password recovery methods for your organization.

When the recovery process is determined:

• Familiarize yourself with how a recovery password can be recovered. To watch:

  • self recovery
  • password recovery recovery

• Determine a series of steps for subsequent recovery, including reviewing the recovery reason and resetting the recovery password. To watch:

  • Post recovery analysis

self recovery

In some cases, users may have the recovery password on a hard copy or USB flash drive and can self-recover. It is recommended that the organization create a self-healing policy. If self-recovery includes using a password or recovery key stored on a USB flash drive, users should be warned not to store the USB flash drive in the same location as the PC, especially when traveling. For example, if the PC and recovery items are in the same bag, it would be easy for an unauthorized user to gain access to the PC. Another policy to consider is for users to contact the helpdesk before or after performing self-recovery so that the root cause can be identified.

password recovery recovery

If the user does not have a recovery password printed or on a USB flash drive, the user can retrieve it from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS.However, the recovery password is not backed up to AD DS by default.Recovery password backup in AD DS must be configured through the appropriate Group Policy settingsbeforeBitLocker has been enabled on the PC. BitLocker Group Policy settings can be found in the local Group Policy Editor or Group Policy Management Console (GPMC) atcomputer configuration>Administrative Templates>Windows Components>bitlocker drive encryption. The following policy setting defines recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or cannot be used.

• Choose how BitLocker-protected operating system drives can be recovered

• Choose how BitLocker-protected fixed drives can be recovered

• Choose how BitLocker protected removable drives can be recovered

  (Video) Bitlocker Recovery Key

For each of these policies, selectSave BitLocker recovery information to Active Directory Domain Servicesand choose which BitLocker recovery information to store in AD DS. Check theDo not enable BitLocker until recovery information is stored in ADDSCheck the box if you want to prevent users from enabling BitLocker unless the computer is joined to the domain and the BitLocker recovery information for the drive is successfully backed up to AD DS.

The BitLocker Recovery Password Viewer tool for Active Directory Users and Computers allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.

The following list can be used as a template for creating a recovery process for recovering the recovery password. This sample process uses the BitLocker Recovery Password Viewer tool for Active Directory Users and Computers.

• Record the user's computer name
• Check user identity
• Locate the recovery password in AD DS
• Gather information to determine why recovery occurred
• Provide the user with the recovery password

Record the user's computer name

The user's computer name can be used to find the recovery password in AD DS. If the user does not know the computer name, ask him to read the first word of theunit labelnoBitLocker Drive Encryption Password Entryuser interface. This word is the name of the computer when BitLocker was enabled, and is likely the computer's current name.

Check user identity

The person requesting the recovery password must be verified as an authorized user of that computer. It should also be verified that the computer for which the user has given the name belongs to the user.

Locate the recovery password in AD DS

Find the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object must be discoverable even if it is in a multi-domain forest.

Multiple recovery passwords

If multiple recovery passwords are stored on a computer object in AD DS, the name of the BitLocker recovery information object will include the date the password was created.

To ensure that you provide the correct password and/or to avoid providing an incorrect password, ask the user to read the eight-character Password ID displayed in the recovery console.

Since the Password ID is a unique value associated with each recovery password stored in AD DS, running a query against this ID finds the correct password to unlock the encrypted volume.

Gather information to determine why recovery occurred

Before providing the user with the recovery password, information should be collected to help determine why recovery was necessary. This information can be used to analyze the root cause during post recovery analysis. For more information about post recovery analysis, seePost recovery analysis.

Provide the user with the recovery password

Since the recovery password is 48 digits long, the user may need to register the password by typing it or typing it on a different computer. If you use MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it is retrieved from the MBAM or Configuration Manager database to avoid security risks associated with an uncontrolled password.

Post recovery analysis

When a volume is unlocked with a recovery password, an event is written to the event log and the platform validation measures are reset in the TPM to match the current configuration. Unlocking the volume means the encryption key has been released and is ready for instant encryption when data is written to the volume and instant decryption when data is read from the volume. Once the volume is unlocked, BitLocker behaves the same regardless of how access was granted.

If a computer is observed to have repeated recovery password unlocks, an administrator may want to perform a post-recovery analysis to determine the root cause of the recovery and update the BitLocker platform validation so that the user is no longer required to enter a recovery password. every time the computer starts. For more information, see:

• Determine the root cause of the recovery.
• Solve the root cause

Determine the root cause of the recovery.

If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Proper computer state analysis and tamper detection can reveal threats with broader business security implications.

While an administrator can remotely investigate the cause of the recovery in some cases, the end user may need to bring the computer containing the recovered drive to the site for a more detailed root cause analysis.

Review and answer the following questions for the organization:

1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + Startup Key, Startup Key Only)? Which PCR profile is in use on the PC?

2. Did the user just forget the PIN or lost the login key? If a token is lost, where can the token be?

3. If TPM mode was in effect, was the recovery due to a boot file change?

4. If the recovery was due to a boot file change, was the boot file change due to intentional user action (eg BIOS update) or malware?

5. When was the last time the user was able to successfully start the computer, and what might have happened to the computer since then?

6. Could the user have encountered malware or left the computer unattended since the last successful boot?

To help answer these questions, use the BitLocker command-line tool to view current settings and protection mode:

manage-bde.exe -status

Examine the event log for events that help indicate why recovery was initiated (for example, whether there was a change to the boot file). Both features can be performed remotely.

Solve the root cause

Once the cause of recovery is identified, BitLocker protection can be reset to prevent recovery on every boot.

The details of this reset may vary depending on the root cause of the recovery. If the root cause cannot be determined, or if malware or a rootkit may have infected the computer, technical support must apply best practice virus policies to respond appropriately.

• unknown PIN
• lost startup key
• Startup file changes

unknown PIN

If a user has forgotten their PIN, the PIN must be reset while logged in to the computer to prevent BitLocker from starting recovery every time the computer is restarted.

To prevent continuous recovery due to an unknown PIN

1. Unlock the computer using the recovery password.

2. Redefinir PIN:

   1. Select and hold the drive, then selectchange PIN

   2. In the BitLocker Drive Encryption dialog box, selectReset a forgotten PIN. If the connected account is not an administrator account, administrative credentials must be provided at this point.

      (Video) Find Your BitLocker Recovery Key

   3. In the PIN reset dialog, provide and confirm the new PIN to use and selectEnd up.

3. The new PIN can be used the next time the unit needs to be unlocked.

lost startup key

If the USB flash drive containing the startup key is lost, the drive must be unlocked using the recovery key. Then a new startup can be created.

To avoid continuous recovery due to a lost startup key

1. Log in as an administrator on the computer that has lost its startup key.

2. Open Administer BitLocker.

3. selectduplicate boot key, insert the clean USB drive where the key will be written and selectTo save.

Startup file changes

This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should resume after the firmware update is complete. BitLocker suspend prevents the computer from entering recovery mode. However, if changes were made when BitLocker protection was enabled, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery will not take place the next time.

Windows RE and BitLocker Device Encryption

Windows Recovery Environment (RE) can be used to regain access to a drive protected byBitLocker Device Encryption. If a PC fails to boot after two failures, Startup Repair will start automatically. When Startup Repair starts automatically due to boot failures, it only performs operating system and driver file repairs if the boot logs or any available dumps point to a specific damaged file. On Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR[7]the dwtYou can validate that Windows RE is a trusted operating environment and unlock any BitLocker protected drive if Windows RE has not been modified. If the Windows RE environment has been changed, for example the TPM has been disabled, the drives will remain locked until the BitLocker recovery key is provided. If Startup Repair cannot run automatically on the PC and Windows RE manually starts from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker protected drives.

Windows RE will also ask for a BitLocker recovery key whendelete allWindows RE reset starts on a device that usesTPM + PINoPassword for operating system driveprotectors If BitLocker recovery is initiated on a non-keyboard device with TPM protection only, Windows RE, not the bootloader, will ask for the BitLocker recovery key. After entering the key, you can access Windows RE troubleshooting tools or start Windows normally.

The BitLocker recovery screen displayed by Windows RE has accessibility tools like Narrator and on-screen keyboard to help you enter the BitLocker recovery key. If the Windows boot manager asks for the BitLocker recovery key, these tools might not be available.

To enable Narrator during BitLocker recovery in Windows RE, presswindows+TO CONTROL+To enter. To activate the onscreen keyboard, tap a text input control.

BitLocker recovery screen

During BitLocker recovery, Windows displays a custom recovery message and some hints that identify where a key can be recovered from. These enhancements can help a user during BitLocker recovery.

Custom recovery message

BitLocker Group Policy settings starting with Windows 10, version 1511 allow you to configure a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the internal IT website, or a support phone number.

This policy can be configured via GPO incomputer configuration>Administrative Templates>Windows Components>bitlocker drive encryption>operating system units>Configure pre-boot recovery message and URL.

It can also be configured through mobile device management (MDM), including in Intune, using theBitLocker CSP:

<Locations>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</Locations>

Example of custom recovery screen:

BitLocker Recovery Key Tips

BitLocker metadata has been enhanced starting with Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is only used by the BitLocker recovery screen in the form of hints to help the user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to where the key was saved. Tips are displayed on the modern (blue) and legacy (black) recovery screen. The tips apply to both the bootloader recovery screen and the WinRE unlock screen.

There are rules that control which hint is displayed during retrieval (in order of processing):

1. Always show a custom recovery message if configured (using GPO or MDM).

2. Always show a generic hint:For more information, go to https://aka.ms/recoverykeyfaq.

3. If there are multiple recovery keys on the volume, prioritize the last recovery key created (and successfully backed up).

4. Prioritize successfully backed up keys over keys that were never backed up.

5. Prioritize backup suggestions in the following order for remote backup locations:Conta Microsoft > Azure AD > Active Directory.

6. If a key was printed and saved to a file, display a combined hint, "Find a printout or text file with the key", instead of two separate hints.

7. If multiple backups of the same type (delete or local) were taken for the same recovery key, prioritize the backup information with the most recent backup date.

8. There is no specific suggestion for keys stored in an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk" is displayed.

9. If there are two recovery keys on the disk, but only one has been successfully copied, the system will ask for a backed up key, even if the other key is more recent.

Example 1 (one-time recovery key with one-time backup)

Result:Suggestions for the Microsoft account and custom URL are displayed.

Example 2 (One time recovery key with one time backup)

Result:Only the custom URL is displayed.

Example 3 (Single recovery key with multiple backups)

Result:Only the Microsoft account suggestion is displayed.

Example 4 (Multiple recovery passwords)

Result:Only the hint for a successfully backed up key is displayed, even if it is not the most recent key.

Example 5 (Multiple recovery passwords)

Result:The tooltip for the most recent key is displayed.

Using additional recovery information

In addition to the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.

BitLocker Key Pack

If the recovery methods discussed earlier in this document do not unlock the volume, the BitLocker Repair Tool can be used to decrypt the volume at the block level. The tool uses the BitLocker Key Pack to help recover encrypted data from severely damaged drives. The recovered data can be used to recover encrypted data even after the correct recovery password failed to unlock the damaged volume. It is recommended to save the recovery password. A key pack cannot be used without a corresponding recovery password.

The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS, theBackup Recovery Password and Key PackThe option must be selected in the Group Policy settings that control the recovery method. The keypack can also be exported from a scratch volume. For more information on exporting keypacks, seeBitLocker Key Pack Recovery.

Recovery password reset

It is recommended that you invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when provided and used or for any other valid reason.

The recovery password can now be invalidated and reset in two ways:

• Usemanage-bde.exe:manage-bde.exeIt can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and syntax for this method.

• run a script: A password reset script can be run without decrypting the volume. The example script in the procedure illustrates this functionality. The example script creates a new recovery password and invalidates all other passwords.

Reset a recovery password usingmanage-bde.exe

1. Delete old recovery password.

   `manage-bde.exe` -protectores -delete C: -type RecoveryPassword

2. Add the new recovery password.

   `manage-bde.exe` -protectores -añadir C: -RecoveryPassword

3. Get the new recovery password ID. On the screen, copy the recovery password ID.

   `manage-bde.exe` -protectores -get C: -Type RecoveryPassword

4. Back up the new recovery password in AD DS.

   `manage-bde.exe` -protectores -adbackup C: -id {EJEMPLO6-5507-4924-AA9E-AFB2EB003692}

   Embargo

   the brakes{}must be included in the ID string.

Run sample recovery password script to reset recovery passwords

1. Save the following sample script to a VBScript file. For example:

   reset password.vbs.

2. At the command prompt, type the following command:

   cscript.exe Reset Password.vbs

   Important

   This sample script is configured to work for volume C only. If necessary, customize the script to match the volume on which the password reset is to be tested.

The following VBScript example can be used to reset recovery passwords:

'Destination drive LetterstrDriveLetter = "c:"' Destination computer name' Use "." to connect to computer localstrComputerName="."' --------------------------------------- - -----------------------------------------' Connect to provider class BitLocker WMI ' ---------------------------------------------- ---- --------------- -- ----------------------------- -strConnectionStr = " winmgmts:" _ & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy} !\ \" _ & strComputerName _ & "\root\cimv2\Security\MicrosoftVolumeEncryption"On Error Resume Next 'handle permission errorsSet objWMIService = GetObject(strConnectionStr)If Err .Number <> 0 Then WScript.Echo "Error connecting to BitLocker interface (Error 0x" & Hex(Err.Number) & ")." Wscript.Echo "Make sure you are running with administrative privileges." WScript.Quit -1End IfOn Error GoTo 0strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"Set colTargetVolumes = objWMIService.ExecQuery(strQuery)If colTargetVolumes.Count = 0 Then WScript.Echo "FAIL: Not successful find the BitLocker-compatible drive "& strDriveLetter & " on the computer " & strComputerName & "." WScript.Quit -1End If' there should be only one volume found for each objFoundVolume in colTargetVolumes set objVolume = objFoundVolumeNext' objVolume is now our BitLocker-compatible disk volume found' --------------- -------------------------------------------------- ---------------- - --------------'Execute BitLocker WMI provider functionality' ---------- -- ------------- ---- ------------------------------- --- -------------- ---- -'Add a new recovery password, keeping the ID so it won't be deleted later' ---------- ----- ----------- --- ------------------------------- ----- ----------- --- ---nRC = objVolume.ProtectKeyWithNumericalPassword("Updated script recovery password", sNewKeyProtectorID)If nRC <> 0 ThenWScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)WScript. Quit -1End If' Remove the other "obsolete" recovery passwords ------------------------- ------ --- -- ---------- ------------------------------- nKeyProtectorTypeIn = 3 ' type associated with "Numbers password password" protectornRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn , aKeyProtectorIDs)If nRC <> 0 ThenWScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)WScript.Quit -1End If' Removes the protectors key different from the one we just added. For each sKeyProtectorID in aKeyProtectorIDsIf sKeyProtectorID <> sNewKeyProtectorID ThennRC = objVolume.DeleteKeyProtector(sKeyProtectorID)If nRC <> 0 ThenWScript.Echo "FAILURE: DeleteKeyProtector at ID " & sKeyProtectorID & "failed with return code 0x") & Hex( nRC .Quit - 1Else' on output'WScript.Echo "SUCCESS: Key Protector with ID " & sKeyProtectorID & " removed "End IfEnd IfNextWScript.Echo "Added a new recovery password. Old passwords have been removed." ' - some advanced output ( hidden)' WScript.Echo ""'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to see existing passwords."

BitLocker Key Pack Recovery

Two methods can be used to retrieve the key packet as described inUsing additional recovery information:

• Export a previously saved key package from AD DS.Read access to BitLocker recovery passwords stored in AD DS is required.

• Export a new keypack from an unlocked and BitLocker-protected volume.Local administrator access to the scratch volume is required before volume corruption occurs.

Run the sample key package recovery script that exports all previously saved key packages from AD DS

The following steps and sample script export all previously saved key packages from AD DS.

1. Save the following example script to a VBScript file. For example:GetBitLockerKeyPackageADDS.vbs.

2. At the command prompt, type a command similar to the following script example:

   cscript.exe GetBitLockerKeyPackageADDS.vbs -?

The following sample script can be used to create a VBScript file to retrieve the AD DS BitLocker key package:

'------------------------------------------------- -------------------------------' Use' ---------------- -------------------------------------------------- --------------Sub ShowUsage Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path to save key package] [Optional hostname]" Wscript.Echo "If no hostname is specified team, the home team is supposed to be." Wscript.Echo Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer" WScript.QuitEnd Sub' ----------------------- -------------------------------------------------- -------'Analyze Arguments' --------------------------------------- - -----------------------------------------Set args = WScript.ArgumentsSelect Case args . Count Case 1 If args(0) = "/?" Or arguments(0) = "-?" Then ShowUsage Else strFilePath = args(0) ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName End If Case 2 If args(0) = "/?" Or arguments(0) = "-?" Then ShowUsage Else strFilePath = args(0) strComputerName = args(1) End If Case Else ShowUsageEnd Select' ---------------------------- -------------------------------------------------- --'Get the path to the Active Directory computer object associated with the computer name' ------------------------------ -- -- ---------------------------------------------- GetStrPathToComputer( strComputerName ) function ' Use global catalog to find computer in forest ' Search also includes excluded computers in tombstone Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' ex . string dc=fabrikam,dc=com strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = " ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguished name;hive" objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Result Cache") = False ' List all found objects. Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "Cannot find computer name '" & strComputerName & "'". WScript.Quit 1 End If ' Matching name of object found Do this until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguished name") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop ' Clear. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = NothingEnd Function' ----------------------------------- ---------------------------------------------' Securely access the Active Directory computer object using Kerberos' ------------------------------------------ --- ---------------------------------Set objDSO = GetObject("LDAP:")strPathToComputer = GetStrPathToComputer(strComputerName ) WScript.Echo "Access Object: " + strPathToComputerConst ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80' ------------- ---- ----- ----------------------------------------- ---- ----- 'Get All BitLocker Recovery Information From Active Directory Computer Object' ------------------------ -------- - ----------------------------------------- ------' Get all computer child object retrieval information objectSet objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullSt ring, _ ADS_SECURE_AUTHENTICATION + ADS _USE_SEALING + ADS_USE_SIGNING)objFveInfos.Filter = Array("msFVE-RecoveryInformation")' Iterate through each recovery information object and save any existing key packets inCount = 1strFilePathFintCurrent = &s Each objFveInfo in strName = objFveInfo .Get("name") strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword") strKeyPackage = objFveInfo.Get("msFVE-KeyPackage") WScript.echo WScript.echo "Recovery object name: " + strName WScript.echo "Recovery password: " + strRecoveryPassword ' Validate the file path Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FileExists(strFilePathCurrent)) Then WScript.Echo "The file" & strFilePathCurrent & "already exists . Please use a different path."WScript.Quit -1 End If 'Save binary data to file SaveBinaryDataText strFilePathCurrent, strKeyPackage WScript.echo "The related key package was successfully saved to " + strFilePathCurrent ' Update the following file path using the name base nCount = nCount + 1 strFilePathCurrent = strFilePath & nCountNext'-------------------------------------- --- -- --------------------------------------------- ' Utility functions for saving binary data'------------------------------------------ --- -- ------------------------------------------ Function SaveBinaryDataText( FileName, ByteArray ) 'Create FileSystemObject object Dim FS: Set FS = CreateObject("Scripting.FileSystemObject") 'Create text stream object Dim TextStream Set TextStream = FS.CreateTextFile(FileName) 'Convert binary data to text and write it in the file TextStream.Write BinaryToString(ByteArray )End FunctionFunction BinaryToString(Binary) Dim I, S For I = 1 T or LenB(Bin ary) S = S & Chr(AscB(MidB(Binary, I, 1))) Next BinaryToString = SEND FunctionWScript.Exit

Running the sample keypack recovery script that exports a new keypack from an unlocked and encrypted volume

The following steps and sample script export a new keypack from an encrypted and unlocked volume.

1. Save the following example script to a VBScript file. For example:GetBitLockerKeyPackage.vbs

2. Open an administrator command prompt and enter a command similar to the following script example:

   cscript.exe GetBitLockerKeyPackage.vbs -?

'------------------------------------------------- -------------------------------' Use' ---------------- -------------------------------------------------- --------------Sub ShowUsage Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path to save key package]" Wscript.Echo Wscript.Echo "Example: GetBitLockerKeyPackage C : E :\bitlocker-backup-key-package" WScript.QuitEnd Sub' --------------------------------- -- ---------------------------------------------' Analyze Arguments ' ------------------------------------------------- -- -------------------------------------------- Set args = WScript .ArgumentsSelect Case args.Count Case 2 If args(0) = "/? " or arguments(0) = "-?" Then ShowUsage Else strDriveLetter = args(0) strFilePath = args(1) End If Case Else ShowUsageEnd Select' ---------------------------- -------------------------------------------------- --'Other Entries' -------------------------------------------- - ------------------------------------'Target computer name' Use "." to connect to computer localstrComputerName = "."' ID of the default key protector to use. Specify "" to allow the script to choose.strDefaultKeyProtectorID = ""' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}" 'sample' ----------------- -------------------------------------------------- ---------------- -------------' Connect to BitLocker WMI provider class' ------------ - ------------- --- --------------------------------- - ------------- --- -strConnectionStr = "winmgmts:" _ & "{impersonationLevel=impersonation,authenticationLevel=pktPrivacy}!\\" _ & strComputerName _ & "\root\cimv2 \Security\MicrosoftVolumeEncryption"On Error Resume Next 'handle permissions setting errors objWMIService = GetObject( strConnectionStr) If Err.Number <> 0 Then WScript.Echo "Error connecting to BitLocker interface (Error 0x" & Hex (Err.Number) & ") ". Wscript.Echo "Make sure you are running with administrative privileges." WScript.Quit -1End IfOn Error GoTo 0strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"Set colTargetVolumes = objWMIService.ExecQuery(strQuery)If colTargetVolumes.Count = 0 Then WScript.Echo "FAIL: Not successful find the BitLocker-compatible drive "& strDriveLetter & " on the computer " & strComputerName & "." WScript.Quit -1End If' there should be only one volume found for each objFoundVolume in colTargetVolumes set objVolume = objFoundVolumeNext' objVolume is now our BitLocker-compatible disk volume found' --------------- -------------------------------------------------- ---------------- - --------------'Execute BitLocker WMI provider functionality' ---------- -- ------------- ---- ------------------------------- --- -------------- ---- -'Collect all possible valid key protector IDs that can be used to get the package' ------ --------- ---------- ------------------------------- -------------- ---------- ------- nNumericalKeyProtectorType = 3 ' type associated with protector "Numeric Password" nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType , aNumericalKeyProtectorIDs)If nRC <> 0 ThenWScript.Echo "FAILURE : GetKeyProtectors failed with return code 0x" & Hex(nRC)WScript.Quit -1End IfnExternalKeyProtectorType = 2 ' type associated with "Ch foreign bird " protectornRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExt ernalKeyProtectorIDs)If nRC <> 0 ThenWScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)WScript.Quit -1End If' Gets the first protector key type "Numeric Password" or "Foreign Key", if any' --------------------------------- ------ --------- ---------------------------------- Yes strDefaultKeyProtectorID = "" Then' Save the first numeric password, if it exists If UBound( aNumericalKeyProtectorIDs) <> -1 ThenstrDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)End If' There is no numeric password, save the first foreign key If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorID ) <> -1 ThenstrDefaultKeyProtectorID = aExternalKeyProtectorIDs( 0) End If' Failed Case: There are no recovery key protectors. If strDefaultKeyProtectorID = "" ThenWScript.Echo "FAIL: Unable to create a backup key package because there are no passwords or recovery keys. Make sure BitLocker protection is enabled for this drive."WScript.Echo "To get help adding passwords or recovery keys , type ""manage-bde.exe -protectors -add -?"."."WScript.Quit -1End IfEnd If' Get information about the chosen key protector ID' - -- ----------------------------------------------- -- -------------------------- Is the type valid?nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)If Hex (nRC) = "80070057" ThenWScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is invalid."WScript.Echo "This ID value may have been provided by the script writer."ElseIf nRC <> 0 ThenWScript.Echo " FAIL: GetKeyProtectorType failed with return code 0x" & Hex ( nRC)WScript.Quit -1End If' which string can be used for to describe it? strDefaultKeyProtectorType = ""Select case nDefaultKeyProtectorType Case nNumericalKeyProtectorType strDefaultKeyProtectorType = "recovery password" nExternalKeyProtectorType Case strDefaultKeyProtectorType strDefaultKeyProtectorType = "recoverywsEscriptCase" Key & ID protector "Key & ProtestrDefault" does not refer to a recovery key or valid password." WScript .Echo 'This ID value may have been provided by the writer of the script. 'Finish selection' Save backup key package using chosen key protector ID' ---------- ---- -------- ------------ -------------------------- ---- -------- ----------nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)If nRC <> 0 ThenWScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex (nRC)WScript.Quit -1End If' Validate the file pathSet fso = CreateObject("Scripting.FileSystemObject" )If (fso.FileExists(strFilePath)) ThenWScript.Echo "File " & strFilePath & " already exists. Use a different path."WScript.Quit -1End IfDim oKeyPackageByte, bKeyPackageFor Each oKeyPackageByte in oKeyPackage 'WScript.echo "keypack byte: " & oKeyPackageByte bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)Next' Save binary data to file SaveBinaryTextDaletaPath , bKeyPackage' Show useful information' --------- --- ------------------------------- ------------------- ------------------------------- ----WScript.Echo "The backup keypack has been saved to " & strFilePath & "."WScript.Echo "IMPORTANT: To use this keypack, " & strDefaultKeyProtectorType & " must also be saved. Show the recovery password or a note about saving the recovery key fileIf nDefaultKeyProtectorType = nNumericalKeyProtectorType ThennRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)If nRC <> 0 ThenWScript.Echo "FAIL: GetKeyPasswordNumericalProtector" returns the codexfallorical0 & Hex(nRC ) WScript.Quit -1End IfWScript.Echo "Save this rd recovery password: " & sNumericalPasswordElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType ThenWScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"WScript.Echo " For help to save this foreign key file again, type ""manage-bde.exe -protectors -get -?"""Finish if'------ --------------------------------------------- ---- ------- ----------'Utility functions for saving binary data'------------------------------ ---------------------------------------------- --- -------- --- ---Function SaveBinaryD ataText(FileName, ByteArray ) 'Create FileSystemObject object Dim FS: Set FS = CreateObject("Scripting.FileSystemObject") 'Create text stream object Dim TextStream Set TextStream = FS.CreateTextFile(FileName) 'Convert binary data to text and write -os in the file TextStream.Write BinaryToString(ByteArray)End FunctionFunction BinaryToString(Binary) Dim I, S For I = 1 To LenB(Binary) S = S & Chr(AscB(MidB(Binary, I, 1)) ) Next BinaryToString = SEndFunction

Related Posts

• BitLocker overview