Solved

Bitlocker recovery information retrievement

Posted on 2014-07-24
11
736 Views
Last Modified: 2014-07-29
Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.

All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)

Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
 
 WScript.echo
 WScript.Echo "Accessing object: "  + strPathToComputer  & " to compare found ID and PWD with Active Directory"
 
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 
 
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------------------------------------------------------------
 
' Get all the recovery information child objects of the computer object
 
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +  ADS_USE_SIGNING)

wscript.echo err
 
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 
' Iterate through each recovery information object  

      
For Each objFveInfo in objFveInfos
 
      strName = objFveInfo.Get("name")
 
      strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
      strRecoveryGuid = ConvertOctetGuidToHexString (strRecoveryGuidOctet)
 
      strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
 
      WScript.echo  
      WScript.echo "name: " + strName  
      WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
      WScript.echo "msFVE-RecoveryPassword: " +  strRecoveryPassword
   
 
      If len(strRecoveryGuid) <> 38 Then
      WScript.echo "WARNING: '" &  strRecoveryGuid & "' does not appear to be a  valid GUID."
                    End If

      If strRecoveryGuid = vKeyProtectorID Then
            If strRecoveryPassword = numPWD Then
                  wscript.echo "Correct ID And PWD found"
                  Wscript.Quit 0
            End If
      End If
Next

Seems that objFveInfos  is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
0
Comment
Question by:glavinfocz
  • 6
  • 4
11 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40216458
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216480
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
0
 
LVL 6

Expert Comment

by:Biniek
ID: 40216512
Please look into this guide:

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA

in the section - Appendix A: Delegating Permission  you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 2

Author Comment

by:glavinfocz
ID: 40216532
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40216549
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40216745
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40217049
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
0
 
LVL 2

Author Comment

by:glavinfocz
ID: 40217703
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.

Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
0
 
LVL 2

Accepted Solution

by:
glavinfocz earned 0 total points
ID: 40218765
Today, I realized that it started to work even under SYSTEM account. So, probably only AD replication with rights delegation took little bit longer than expected.
Anyway Thank you for your time and proposals.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40218779
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
0
 
LVL 2

Author Closing Comment

by:glavinfocz
ID: 40226193
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question