Jump to content


anyweb

How can I retrieve my BitLocker recovery key from MBAM in Windows PE

Recommended Posts

If you are using MDOP and BitLocker then you are more than likely aware of MBAM. Microsoft BitLocker Administration and Monitoring (MBAM) is a tool used amongst other things, for storing the BitLocker keys used in your Enterprise. This means that you can have a central repository for your MBAM client agents to talk to, and they do this via Group Policy settings.

 

To make things simple, once your computers are BitLocker protected and have the MBAM client agent installed, and the MBAM Group Policy settings are pointing to your MBAM server, then the info (recovery key etc) will make their way up to the MBAM database. This means that we can use a script in Windows PE to connect to the SQL server and pull the needed information, why ? well during a Refresh (reinstallation of Windows) on your BitLockered computers, you need to unlock the BitLockered drive and then suspend it (so that you can read/write) and to do so you need to provide the recovery key. To get this key we make a connection to the SQL database on the MBAM server and request the information.

 

Note: you'll need the ADO connector added to your boot image in order to make a connection in Windows PE to your SQL server, to do that, create a MDT boot image as described here and make sure 'ADO' is selected otherwise you'll get ADODB.connection errors in WinPE.

 

First of all you'll need a script, let's call it Get_RecoveryKey_from_MBAM.wsf, place the script in a sub directory of your scripts dir in your MDT Toolkit Files package

 

<job id="GetBitLockerKey">
 <script language="VBScript" src="..\ZTIUtility.vbs"/>
 <script language="VBScript" src="..\ZTIDataAccess.vbs"/>
 <script language="VBScript">

 Dim ConString
 Dim RsTemp
 Dim MachineID
 Dim RecoveryKey
 Dim oEnv

 Set oEnv=CreateObject("Microsoft.SMS.TSEnvironment")
 Set WShell=CreateObject("WScript.Shell")
 Set fso=CreateObject("Scripting.FileSystemObject")

 Wshell.Run "%comspec% /C manage-bde.exe -protectors -get d: > x:\BLInfo.txt",1,true
 Set InfoFile=fso.OpenTextFile("x:\BLInfo.txt")
 Do While Not InfoFile.AtEndOfStream
  Filerow=InfoFile.ReadLine
  If InStr(FileRow,"Password")<>0 Then'And InStr(FileRow,"Numerical Password")=0
Password=InfoFile.ReadLine
' msgbox "Numerical Password:" &Password
Exit Do
  End If
 Loop

 Password=Mid(Password,12,36)

 'PARAMETERS
 ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=MBAM Recovery and Hardware;User ID=OSD;Password=Password123"


 'MAIN

 SQL="SELECT RecoveryKey FROM RecoveryAndHardwareCore.Keys WHERE RecoveryKeyID='" &Password &"'"
 Set RsTemp=GetRs(SQL)
 RecoveryKey=RsTemp("RecoveryKey")

 oEnv("RecoveryKey")=RecoveryKey
msgbox "RecoveryKey retrieved from MBAM is:" &RecoveryKey

 Function GetRs(SQL)
  Dim Con
  Dim Rs

  Set Con=CreateObject("ADODB.Connection")
  Con.Open(ConString)

  Set Rs=Con.Execute(SQL)

  GetRs=Rs
 End Function
</script>
</job>

 

ok so what does this script do ?

 

the script makes a call to the SQL database on our MBAM server (Data Source=mbam) specifies the Database (MBAM Recovery and Hardware) and the user/password we need to connect with (User ID=OSD;Password=Password123) like so:-

 

ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=;User ID=OSD;Password=Password123"

 

This requires SQL Server Authentication to be setup in SQL Server and Windows authentication mode (mixed) so you'll need to configure this on your MBAM server (right click on your SQL server in SQL Management Studio, choose properties, security).

 

sql server mixed mode.png

 

and configure the OSD user in SQL like so with access to the MBAM Recovery and Hardware database

 

osd user.png

 

 

In your Refresh task sequence you'll need to add a few new steps to get the key from your MBAM server, the first step is called Get Recovery Key from MBAM SQL in WinPE.

 

Note:- We only try to get the key if a Protected Volume (Encrypted) is detected (Guide here), there's no need for us to get the key if the drive is already unlocked so checking that its Protected is an important step.

 

get recovery key from mbam sql in winpe step.png

 

Now that we have the key from MBAM it has been nicely placed in a variable for us called RecoveryKey, we unlock the drive using the following command in the next step called Unlock Bitlockered Drive

 

manage-bde -unlock d: -RecoveryPassword %%RecoveryKey%%

 

Unlock Bitlockered Drive.png

 

The next step simply Suspends the Bitlockered drive

 

manage-bde d: -protectors -disable

 

suspend bitlockered drive.png

 

Ok that's the explanation, how can you test it ?

 

First of all you'll need to Deploy a computer with Windows 7 and BitLocker encryption on it . Once done, install the MBAM client agent on the computer (see link 2 below or install it manually).

 

In addition to the above you'll want MBAM configured (local group policies and MBAM server side).. Once done, login to your Windows 7 computer and start an Administrative Command Prompt.

 

type the following:-

 

manage-bde -protectors -get c:

 

it will return something like the following if BitLockered

 

manage-bde protectors.png

 

the Password listed is our Recovery Key. To verify that this value is in our MBAM database simply login to the Database using SQL Management Studio and expand the MBAM Recovery and Hardware database. Expand it so that you can see the tables and choose the RecoveryAndHardwareCore.Keys table. Right click the Table and choose Select top 1000 Rows. Verify that the password revealed from our Windows 7 command prompt is present in our MBAM database.

 

recoverykey.png

 

As you can see from the screenshot, the RecoveryKey is indeed listed and that means you are now ready to test the script in WinPE and to test a Refresh scenario ! If the key does NOT appear (and the MBAM client agent can take time to send this info, up to 90 minutes or more...) then simply restart the MBAM client agent service (BitLocker Management Client Service) on your Windows 7 client, wait a minute and try again.

 

restart mbam service.png

 

good luck !

 

 

 

 

 

 

Related reading:

 

1. Microsoft BitLocker Administration and Monitoring (MBAM) - http://www.microsoft.../mdop/mbam.aspx

 

2. Deploying the MBAM agent using ConfigMgr - http://technet.micro...indows/hh328534

 

3. How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ? http://myitforum.com...e-in-winpe.aspx

 

4. Is the TPM Chip Enabled or Disabled in the Bios on my Dell system ? http://myitforum.com...ell-system.aspx

 

5. How can I determine if there's a TPM chip on my Dell system needed for BitLocker ? http://myitforum.com...-bitlocker.aspx

Share this post


Link to post
Share on other sites


we are doing this in WinPE Nico hence the methods above

 

have a read from Technet below:-

 

The Enable BitLocker task sequence action runs only in a standard operating system and will not run in the Windows Preinstallation Environment (WinPE). For information about task sequence variables for this task sequence action, see Enable BitLocker Task Sequence Action Variables.

 

http://technet.micro...y/bb632526.aspx

 

and

 

The Disable BitLocker task sequence action runs only in a standard operating system and will not run in the Windows Preinstallation Environment (WinPE). For information about task sequence variables for this task sequence action, see Enable BitLocker Task Sequence Action Variables.

 

http://technet.micro...y/bb680745.aspx

Share this post


Link to post
Share on other sites

Hello,

 

I am also suspending BDE during a refresh from WINPE, I can unlock and supsend BDE no problem, but when the TS sets as the BDE drive is the only drive visible and the _SMSTASKSEQUENCE folder gets created on C (BDE hidden partition), as this is only a 300 MB partition there is not enough space to download my 7 win file. I tried change the location of SMSTSLocalDataDrive to D after getting access to the BDE drives but it still uses the C drive. How did you get around this? I guess I could use a pre TS action to run my script to get access to the BDE drives before the TS starts but just wondered how you did this..

 

Thanks,

 

DGA

Share this post


Link to post
Share on other sites

I have followed the process to and in Windows this script works great but in Windows PE I get this error in SMSTS.LOG:

 

Get_RecoveryKey_from_MBAM.wsf(37,4) ADODB.Field: Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.

 

I know the record is there and what is weird is if I run this script in Windows before trying to re-image it works. But Looking at Log on trying to reimage at x:\blinfo.txt it has this error:

 

ERROR: An error occurred (code 0x80310000):

 

This drive is locked by Bitlocker Drive Encryption. You must unlock drive from Control Panel.

 

Thoughts?

Share this post


Link to post
Share on other sites

this script is hard coded to d: see here

Wshell.Run "%comspec% /C manage-bde.exe -protectors -get d: > x:\BLInfo.txt",1,true
Set InfoFile=fso.OpenTextFile("x:\BLInfo.txt")

you can change that to point to a variable instead (I believe i'm doing that in the CM12 UEFI BitLocker HTA which contains an updated version of this script)

 

so if your bitlocker disk is not on d: it will not unlock it

Share this post


Link to post
Share on other sites

ok then

what happens when you run this manually (press f8) in WinPE before the step does it...

 

manage-bde.exe -protectors -get d: > x:\BLInfo.txt

 

what is created in x:\blinfo.txt ?

Share this post


Link to post
Share on other sites

Hi, anyweb!

ok then

what happens when you run this manually (press f8) in WinPE before the step does it...

 

manage-bde.exe -protectors -get d: > x:\BLInfo.txt

 

what is created in x:\blinfo.txt ?

I'm experiencing the same issue. BLinfo.txt:

 

BitLocker Drive Encryption: Configuration Tool version 10.0.10011
Copyright © 2013 Microsoft Corporation. All rights reserved.
Volume D: [Label Unknown]
All Key Protectors
ERROR: An error occurred (code 0x80310000):
This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.

Share this post


Link to post
Share on other sites

**EDIT**

I was grabbing the wrong line from manage-bde, I believe I've figured it out.

The ID line is the one you need to lookup by, not the password line. Your screenshot was a bit misleading.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...