How can I retrieve my BitLocker recovery key from MBAM in Windows PE

If you are using MDOP and BitLocker then you are more than likely aware of MBAM.
Microsoft BitLocker Administration and Monitoring (MBAM) is a tool used
amongst other things, for storing the BitLocker keys used in your
Enterprise. This means that you can have a central repository for your
MBAM client agents to talk to, and they do this via Group Policy

To make things simple, once your computers are BitLocker protected and
have the MBAM client agent installed, and the MBAM Group Policy settings
are pointing to your MBAM server, then the info (recovery key etc) will
make their way up to the MBAM database. This means that we can use a
script in Windows PE to connect to the SQL server and pull the needed
information, why ? well during a Refresh (reinstallation of Windows) on
your BitLockered computers, you need to unlock the BitLockered drive and then suspend it
(so that you can read/write) and to do so you need to provide the
recovery key. To get this key we make a connection to the SQL database
on the MBAM server and request the information.

First of all you’ll need a script, let’s call it
Get_RecoveryKey_from_MBAM.wsf, place the script in a sub directory of
your scripts dir in your MDT Toolkit Files package

<job id="GetBitLockerKey">
<script language="VBScript" src="..\ZTIUtility.vbs"/>
<script language="VBScript" src="..\ZTIDataAccess.vbs"/>
<script language="VBScript">
Dim ConString
Dim RsTemp
Dim MachineID
Dim RecoveryKey
Dim oEnv
Set oEnv=CreateObject("Microsoft.SMS.TSEnvironment")
Set WShell=CreateObject("WScript.Shell")
Set fso=CreateObject("Scripting.FileSystemObject")
Wshell.Run "%comspec% /C manage-bde.exe -protectors -get d: > x:\BLInfo.txt",1,true
Set InfoFile=fso.OpenTextFile("x:\BLInfo.txt")
Do While Not InfoFile.AtEndOfStream
If InStr(FileRow,"Password")<>0 Then'And InStr(FileRow,"Numerical Password")=0
' msgbox "Numerical Password:" &Password
Exit Do
End If
ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=MBAM Recovery and Hardware;User ID=OSD;Password=Password123"
="SELECT RecoveryKey FROM RecoveryAndHardwareCore.Keys WHERE RecoveryKeyID='" &Password &"'"
Set RsTemp=GetRs(SQL)
"RecoveryKey retrieved from MBAM is:" &RecoveryKey
Function GetRs(SQL)
Dim Con
Dim Rs
Set Con=CreateObject("ADODB.Connection")
Set Rs=Con.Execute(SQL)
End Function

ok so what does this script do ?

the script makes a call to the SQL database on our MBAM server (Data Source=mbam) specifies the Database (MBAM Recovery and Hardware) and the user/password we need to connect with (User ID=OSD;Password=Password123) like so:-

ConString=”Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=;User ID=OSD;Password=Password123″

This requires SQL Server Authentication to be setup in SQL Server and Windows authentication mode (mixed)
so you’ll need to configure this on your MBAM server (right click on
your SQL server in SQL Management Studio, choose properties, security).

Attached Image: monthly_09_2011/post-1-0-73347100-1315309043.png

and configure the OSD user in SQL like so with access to the MBAM Recovery and Hardware database

Attached Image: monthly_09_2011/post-1-0-59481900-1315309829.png

In your Refresh task sequence you’ll need
to add a few new steps to get the key from your MBAM server, the first
step is called Get Recovery Key from MBAM SQL in WinPE.

Note:- We only try to get the key if a Protected Volume (Encrypted) is detected (Guide here).

Attached Image: monthly_09_2011/post-1-0-06966900-1315310331.png

Now that we have the key from MBAM it has been nicely placed in a variable for us called RecoveryKey, we unlock the drive using the following command in the next step called Unlock Bitlockered Drive

manage-bde -unlock d: -RecoveryPassword %%RecoveryKey%%

Attached Image: monthly_09_2011/post-1-0-15389500-1315310638.png

The next step simply Suspends the Bitlockered drive

manage-bde d: -protectors -disable

Attached Image: monthly_09_2011/post-1-0-02188600-1315310816.png

Ok that’s the explanation, how can you test it ?

First of all you’ll need to Deploy a computer with Windows 7 and BitLocker encryption on it . Once done, install the MBAM client agent on the computer (see link 2 below or install it manually).

In addition to the above you’ll want MBAM configured (local group
policies and MBAM server side).. Once done, login to your Windows 7
computer and start an Administrative Command Prompt.

type the following:-

manage-bde -protectors -get c:

it will return something like the following if BitLockered

Attached Image: monthly_09_2011/post-1-0-99641300-1315311375.png

the Password listed is our Recovery Key. To
verify that this value is in our MBAM database simply login to the
Database using SQL Management Studio and expand the MBAM Recovery and
Hardware database. Expand it so that you can see the tables and choose
the RecoveryAndHardwareCore.Keys table. Right click the Table and choose Select top 1000 Rows. Verify that the password revealed from our Windows 7 command prompt is present in our MBAM database.

Attached Image: monthly_09_2011/post-1-0-07889800-1315311764.png

As you can see from the screenshot, the RecoveryKey
is indeed listed and that means you are now ready to test the script in
WinPE and to test a Refresh scenario ! If the key does NOT appear (and
the MBAM client agent can take time to send this info, up to 90 minutes
or more…) then simply restart the MBAM client agent service (BitLocker
Management Client Service) on your Windows 7 client, wait a minute and
try again.

Attached Image: monthly_09_2011/post-1-0-13308100-1315311850.png

good luck !

Related reading:

1. Microsoft BitLocker Administration and Monitoring (MBAM) –…/mdop/mbam.aspx

2. Deploying the MBAM agent using ConfigMgr – http://technet.micro…indows/hh328534

3. How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ?…e-in-winpe.aspx

4. Is the TPM Chip Enabled or Disabled in the Bios on my Dell system ?…ell-system.aspx

5. How can I determine if there’s a TPM chip on my Dell system needed for BitLocker ?…-bitlocker.aspx

Original post here

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.