Solved

Bitlocker recovery information retrievement

Posted on 2014-07-24
11
683 Views
Last Modified: 2014-07-29
Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.

All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)

Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
 
 WScript.echo
 WScript.Echo "Accessing object: "  + strPathToComputer  & " to compare found ID and PWD with Active Directory"
 
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 
 
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------------------------------------------------------------
 
' Get all the recovery information child objects of the computer object
 
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +  ADS_USE_SIGNING)

wscript.echo err
 
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 
' Iterate through each recovery information object  

      
For Each objFveInfo in objFveInfos
 
      strName = objFveInfo.Get("name")
 
      strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
      strRecoveryGuid = ConvertOctetGuidToHexString (strRecoveryGuidOctet)
 
      strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
 
      WScript.echo  
      WScript.echo "name: " + strName  
      WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
      WScript.echo "msFVE-RecoveryPassword: " +  strRecoveryPassword
   
 
      If len(strRecoveryGuid) <> 38 Then
      WScript.echo "WARNING: '" &  strRecoveryGuid & "' does not appear to be a  valid GUID."
                    End If

      If strRecoveryGuid = vKeyProtectorID Then
            If strRecoveryPassword = numPWD Then
                  wscript.echo "Correct ID And PWD found"
                  Wscript.Quit 0
            End If
      End If
Next

Seems that objFveInfos  is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
0
Comment
Question by:glavinfocz
  • 6
  • 4
11 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40216458
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216480
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
0
 
LVL 6

Expert Comment

by:Biniek
ID: 40216512
Please look into this guide:

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA

in the section - Appendix A: Delegating Permission  you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216532
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40216549
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:glavinfocz
ID: 40216745
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40217049
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40217703
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.

Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
0
 
LVL 2

Accepted Solution

by:
glavinfocz earned 0 total points
ID: 40218765
Today, I realized that it started to work even under SYSTEM account. So, probably only AD replication with rights delegation took little bit longer than expected.
Anyway Thank you for your time and proposals.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40218779
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
0
 
LVL 2

Author Closing Comment

by:glavinfocz
ID: 40226193
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I hook up a bluetooth speaker? 20 92
Syntax error 9 45
Update on Win 7 30 71
Linksys 4 port wireless router 62 45
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now