Solved

Bitlocker recovery information retrievement

Posted on 2014-07-24
11
758 Views
Last Modified: 2014-07-29
Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.

All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)

Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
 
 WScript.echo
 WScript.Echo "Accessing object: "  + strPathToComputer  & " to compare found ID and PWD with Active Directory"
 
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 
 
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------------------------------------------------------------
 
' Get all the recovery information child objects of the computer object
 
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +  ADS_USE_SIGNING)

wscript.echo err
 
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 
' Iterate through each recovery information object  

      
For Each objFveInfo in objFveInfos
 
      strName = objFveInfo.Get("name")
 
      strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
      strRecoveryGuid = ConvertOctetGuidToHexString (strRecoveryGuidOctet)
 
      strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
 
      WScript.echo  
      WScript.echo "name: " + strName  
      WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
      WScript.echo "msFVE-RecoveryPassword: " +  strRecoveryPassword
   
 
      If len(strRecoveryGuid) <> 38 Then
      WScript.echo "WARNING: '" &  strRecoveryGuid & "' does not appear to be a  valid GUID."
                    End If

      If strRecoveryGuid = vKeyProtectorID Then
            If strRecoveryPassword = numPWD Then
                  wscript.echo "Correct ID And PWD found"
                  Wscript.Quit 0
            End If
      End If
Next

Seems that objFveInfos  is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
0
Comment
Question by:glavinfocz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40216458
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216480
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
0
 
LVL 6

Expert Comment

by:Biniek
ID: 40216512
Please look into this guide:

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA

in the section - Appendix A: Delegating Permission  you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 2

Author Comment

by:glavinfocz
ID: 40216532
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40216549
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216745
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40217049
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40217703
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.

Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
0
 
LVL 2

Accepted Solution

by:
glavinfocz earned 0 total points
ID: 40218765
Today, I realized that it started to work even under SYSTEM account. So, probably only AD replication with rights delegation took little bit longer than expected.
Anyway Thank you for your time and proposals.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40218779
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
0
 
LVL 2

Author Closing Comment

by:glavinfocz
ID: 40226193
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compliā€¦
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operatingā€¦
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question