Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 813
  • Last Modified:

Bitlocker recovery information retrievement

Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.

All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)

Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
 
 WScript.echo
 WScript.Echo "Accessing object: "  + strPathToComputer  & " to compare found ID and PWD with Active Directory"
 
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 
 
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------------------------------------------------------------
 
' Get all the recovery information child objects of the computer object
 
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +  ADS_USE_SIGNING)

wscript.echo err
 
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 
' Iterate through each recovery information object  

      
For Each objFveInfo in objFveInfos
 
      strName = objFveInfo.Get("name")
 
      strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
      strRecoveryGuid = ConvertOctetGuidToHexString (strRecoveryGuidOctet)
 
      strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
 
      WScript.echo  
      WScript.echo "name: " + strName  
      WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
      WScript.echo "msFVE-RecoveryPassword: " +  strRecoveryPassword
   
 
      If len(strRecoveryGuid) <> 38 Then
      WScript.echo "WARNING: '" &  strRecoveryGuid & "' does not appear to be a  valid GUID."
                    End If

      If strRecoveryGuid = vKeyProtectorID Then
            If strRecoveryPassword = numPWD Then
                  wscript.echo "Correct ID And PWD found"
                  Wscript.Quit 0
            End If
      End If
Next

Seems that objFveInfos  is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
0
glavinfocz
Asked:
glavinfocz
  • 6
  • 4
1 Solution
 
McKnifeCommented:
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
0
 
glavinfoczAuthor Commented:
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
0
 
BiniekCommented:
Please look into this guide:

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA

in the section - Appendix A: Delegating Permission  you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
glavinfoczAuthor Commented:
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
0
 
McKnifeCommented:
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
0
 
glavinfoczAuthor Commented:
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
0
 
McKnifeCommented:
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
0
 
glavinfoczAuthor Commented:
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.

Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
0
 
glavinfoczAuthor Commented:
Today, I realized that it started to work even under SYSTEM account. So, probably only AD replication with rights delegation took little bit longer than expected.
Anyway Thank you for your time and proposals.
0
 
McKnifeCommented:
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
0
 
glavinfoczAuthor Commented:
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now