Posted on

You Lost the BitLocker Recovery Key?

Today I was asked for the BitLocker Recovery Key for a previous client. Since they’re not my client anymore that’s information that I don’t (and wouldn’t want to) have in my possession.

That begs the question;

“What do you do if you lost (or if nobody documented) the BitLocker Recovery Key”?

If you have administrator access to the running server, obtaining the key can be done from an Administrative Command Prompt with manage-bde.exe.

GETTING HELP

Typing the name of the executable with no parameters outputs the help file.

manage-bde

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

manage-bde[.exe] -parameter [arguments]

Description:
    Configures BitLocker Drive Encryption on disk volumes.

Parameter List:
    -status     Provides information about BitLocker-capable volumes.
    -on         Encrypts the volume and turns BitLocker protection on.
    -off        Decrypts the volume and turns BitLocker protection off.
    -pause      Pauses encryption or decryption.
    -resume     Resumes encryption or decryption.
    -lock       Prevents access to BitLocker-encrypted data.
    -unlock     Allows access to BitLocker-encrypted data.
    -autounlock Manages automatic unlocking of data volumes.
    -protectors Manages protection methods for the encryption key.
    -tpm        Configures the computer’s Trusted Platform Module (TPM).
    -SetIdentifier or -si
                Configures the identification field for a volume.
    -ForceRecovery or -fr
                Forces a BitLocker-protected OS to recover on restarts.
    -changepassword
                Modifies password for a data volume.
    -changepin  Modifies PIN for a volume.
    -changekey  Modifies startup key for a volume.
    -upgrade    Upgrades the BitLocker version.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -status
    manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
    manage-bde -unlock E: -RecoveryKey F:\84E151C1…7A62067A512.bek

CHECKING DRIVE STATUS

To check the BitLocker status of all drives, type:

manage-bde -status

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [BARRETT]
[Data Volume]

    Size:                 14.50 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Volume G: [BARRETT32GB]
[Data Volume]

    Size:                 29.02 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Note: You may notice in the above example that the C: volume is not shown. That’s because on this PC BitLocker has not been setup yet.

OBTAINING AN EXISTING RECOVERY KEY

To output the key to the screen, just type the following:

manage-bde -protectors c: -get

(*Or whatever drive letter for which you need the key).

HOW DOES THAT WORK?

If you would like to know about the protectors and get flags, type:

manage-bde -protectors -get -h

Or you can check out more info on TechNet
https://technet.microsoft.com/en-us/library/ff829848.aspx

I hope that helps!

VN:F [1.9.20_1166]
Rating: 6.4/10 (5 votes cast)
Posted on

Download – Windows Security Audit Events Spreadsheet

Title: Windows Security Audit Events Spreadsheet
Published: 12/02/2015
Publisher: Microsoft Corporation
Version: November 2015
File name: WindowsSecurityAuditEvents.xlsx
Size: 70 KB
Download URL: Click here for download

Pop Quiz:

1) What’s the Event ID for an Account Lockout?

2) What about the Event ID denoting that permissions were changed on an object?

3) Or the Event ID for locking or unlocking a workstation?

Don’t worry, I can’t remember those off the top of my head either. And that usually means sifting through bookmarked links, PDFs or hitting Google to look it up.

Fortunately, Microsoft has an Excel spreadsheet detailing 412 different Event IDs related to Windows Security Audit Events. Those 400+ Event IDs are broken up into the following nine categories:

  • Account Logon
  • Account Management
  • Detailed Tracking
  • DS Access
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System

Another example but in this case physical casino security personnel will be on top of the barricades and they will be patrolling the building, like hvad er et pund i danske kroner.

In an unprecedented move, officials in the city of Valencia launched a national protest. The protest, attended by more than 30,000 people, was organized on social media across the country in support of the new law.

The protesters included representatives from local government districts, the local media, social media and religious institutions including faith clubs.

The spreadsheet also contains a tab with a complete description of the event message. This is a great tool for creating event monitors. Download and enjoy!

VN:F [1.9.20_1166]
Rating: 10.0/10 (2 votes cast)