0

I am in need of help regarding powershell command - Enable-Bitlocker

The following code is an example:

$pw = ConvertTo-SecureString "123456" -AsPlainText -Force

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -Pin $pw -TpmAndPinProtector -UsedSpaceOnly -SkipHardwareTest -ErrorAction SilentlyContinue

Start-Sleep 2

(Get-BitLockerVolume -MountPoint $env:HOMEDRIVE).KeyProtector > $env:UserProfile\Desktop\BitLocker_Recovery_Key.txt

My problem is , the only output of this command is , the following in the Bitlocker_Recovery_Key.txt

KeyProtectorId      : {CC2206C6-1B69-4DC1-96FE-38EED6F576E1}
AutoUnlockProtector : 
KeyProtectorType    : TpmPin
KeyFileName         : 
RecoveryPassword    : 
KeyCertificateType  : 
Thumbprint          :

My aim is to acquire the recovery password (48 string password) as a back up for my bitlocker encryption.

Thanks in advance!

V4riableZ
  • 1
  • 2
  • Is `-MountPoint $env:SystemDrive` & `-MountPoint $env:HOMEDRIVE` the same thing? I'm not sure at what point all attributes will be populated with the expected info but the actual encryption of a volume might take longer than 2 seconds. – notjustme Mar 01 '21 at 13:34
  • Hi , `$env:SystemDrive` is the enviromental variable for where the operating system is installed , this script is globally used therefore we assume the os is not installed on C. – V4riableZ Mar 01 '21 at 13:53
  • I think you missed my point - you are enabling BitLocker on `$env:SystemDrive` and moments later you're trying to read KeyProtector from `$env:HOMEDRIVE`. – notjustme Mar 01 '21 at 13:58
  • Ah , i see it now , Ive ran the encryption again and replaced `$env:HOMEDRIVE` with `$env:SystemDrive` , but the output is the same. Ive tried running the same command but with xtsaes256 and the results are same ` KeyProtectorId : {Redacted} AutoUnlockProtector : KeyProtectorType : TpmPin KeyFileName : RecoveryPassword : KeyCertificateType : Thumbprint : – V4riableZ Mar 01 '21 at 14:11
  • Help would be appriciated... Still cant retrieve recovery password after using command (Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector > $env:UserProfile\Desktop\BitLocker_Recovery_Key.txt – V4riableZ Mar 01 '21 at 21:31
  • Still need an answer.... – V4riableZ Mar 02 '21 at 13:45

1 Answers1

0

I managed to solve my own problem after reading the microsoft documentation of bitlocker a little bit more thoroughly.

It seems i have done every step required to automate the process , but in order to receive a recovery key , we need to add a recovery password protector (do note that adding a recovery password protector does not require us to actually submit a password but only to receive a recovery password and a numerical password) The process of receiving the password is achieved by invoking the following command with powershell.

Invoke-Expression "Manage-bde -protectors -add <drive of choice or $i if in a loop> -RecoveryPassword"

Admin rights are required to activate the protector , the following is the output By using the command manage-bde -protectors -get <$i or drive letter>

Volume : []
All Key Protectors

TPM And PIN:
  ID: 
  PCR Validation Profile:
    

Numerical Password:
  ID: id
  Password:
    password

Numerical Password:
  ID: id
  Password:
    password

Only then we can use a recovery key with our method.

Do note , enable-bitlocker or manage-bde -on <drive or $i> does not automatically produce a recovery password , we need to add the recovery password protector.

V4riableZ
  • 1
  • 2