BitLocker Key

[arduin0guru]

Is there any way we can save bitlocker key to meshcentral server from agent ??

[si458]

If u can find a way to get it either via registry/wmi/powershell, then I can implement it, but as fair as I'm aware, no as that would avoid security

[dinger1986]

https://www.process.st/how-to/get-bitlocker-recovery-key-without-microsoft-account/

Kinda an RMM function I'd say

[si458]

thanks for the hint @dinger1986! but i agree its more of a RMM feature
it was simple enough to implement, but i dont think ill put a GUI option in anywhere

[arduin0guru]

Customer losses data when they don't have recovery key with dead pc. We don't have much options too.

[Simon4711]

I've just updated to 1.18, but if I want to check the bitlocker recovery password with sysinfo in the meshagent console of a client, the output is empty.

"C": {
"name": "",
"type": "NTFS",
"size": "214103486464",
"removable": false,
"volumeStatus": "FullyEncrypted",
"protectionStatus": "On",
"recoveryPassword": ""
},

In the terminal the output of
manage-bde -protectors -get C:
is o.k. and the recovery key is shown.

Or did I misunderstood the new bitlocker in sysinfo?

[si458]

No no, if its showing the recoveryPassword option then you have the latest version?
It might be your output is different to mine!
Can you plz run with admin cmd.exe manage-bde -protectors -get C -Type recoverypassword and share output? Hide keys with XXXXXX

Also same command but without -type recoverypassword

[Simon4711]

@si458

manage-bde -protectors -get C: -Type recoverypassword
BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.

Volume "C:" []
Schlüsselschutzvorrichtungen vom Typ "Numerisches Kennwort"

Numerisches Kennwort:
  ID: {8353E458-AAD3-4AE3-A800-EE84F779204D}
  Kennwort:
    xxxxx-

manage-bde -protectors -get C:
BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.

Volume "C:" []
Alle Schlüsselschutzvorrichtungen

TPM:
  ID: {7735E13D-74A1-4559-8764-4A8A359AA825}
  PCR-Validierungsprofil:
    0, 2, 4, 11

Numerisches Kennwort:
  ID: {8353E458-AAD3-4AE3-A800-EE84F779204D}
  Kennwort:
    xxxxx-

and this here is the sysinfo again from the console in meshcentral:
"C": {
"name": "",
"type": "NTFS",
"size": "214103486464",
"removable": false,
"volumeStatus": "FullyEncrypted",
"protectionStatus": "On",
"recoveryPassword": ""
},

I restarted the meshagent service in Windows before, it's not changing the sysinfo output.

[si458]

@Simon4711 oh poo, ur cmd.exe isn't English!?
That's going to be a pain!?
Erm... not sure how to fix that then? Would need to find a way of getting it to convert into english

[si458]

@Simon4711 can you please run this command and see if it returns the language in english for me?
chcp 437 & manage-bde -protectors -get C: -Type recoverypassword

[Simon4711]

Sorry, I've no english server. Here is the output.
chcp 437 & manage-bde -protectors -get C: -Type recoverypassword
Aktive Codepage: 437.
BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.

Volume "C:" []
Schlüsselschutzvorrichtungen vom Typ "Numerisches Kennwort"

Numerisches Kennwort:
  ID: {8353E458-AAD3-4AE3-A800-EE84F779204D}
  Kennwort:
    xxxxxxx-xxxxx....

Translation from Google Translator is:

chcp 437 & manage-bde -protectors -get C: -Enter recovery password
Active code page: 437.
BitLocker Drive Encryption Configuration Tool, version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume “C:” []
Numeric password type key protectors

Numeric password:
  ID: {8353E458-AAD3-4AE3-A800-EE84F779204D}
  Password:
    xxxxxxx-xxxxx....

[si458]

Erm sadly that's going to be a pain then and no fix apart from what it is like at the moment,
I'm not sure of another way to get the recovery key then as its not stored in the registry and you need to use that command to get it
But if the command doesn't return English, I would have the keep a translation of every phrase for 'numeric password' and 'password' just to retrieve the key!
I'm sorry about this...

[si458]

@Simon4711 can you just try one more thing for me please? in case its a user display issue
can you goto a machine in meshcentral,
on the General tab, click RUN,
then select 'Windows Command Prompt'
then select 'Run As Agent'
then select 'Commands from text box'
then enter chcp 437 & manage-bde -protectors -get C: -Type recoverypassword into the text box and click 'OK'
then wait about 5 seconds, and then go to the Console Tab, then check its output?
does it still show in there the output in german or is it now english?

[Simon4711]

Still german, but it's o.k. So the feature don't exist in german windows, but I can live without it ;) It's the same in Win10, Win11, WinServer 2019.

[JSkolnik]

Is it possible to set the output visible somewhere in the dashboard? For example, in the Details tab?

[si458]

@JSkolnik i didnt really want to do that because i wasnt sure where to put it or HOW to display it?
but if you can mock up of a pic of how you think it should be shown n where i can look at it for you?
(i was thinking originally of just showing XXXXXXXX then a little eye symbol to reveal it as its not really needed for day to day operation)

[JSkolnik]

@si458 The use case when recovery keys are needed is when the device is offline - for example after a bad bios update, motherboard replacement, etc. Often the HW vendor has TPM enabled by default, most people do not know about the recovery key.
It could be optional as a feature to add to the dashboard. Sysconfig loads the keys, they would have to be stored in the database. The display could be Recovery key: XXX and re-enter the password to the Meshcentral account to display.

[si458]

@JSkolnik yeh thats a problem, currently the recovery key is only gotten IF the device is ONLINE, it doesnt store that information INTO The database, so i would have to look into HOW the data is stored in the database, to then add to it,
can u open a new enhancement issue for me please? just explain you would like it visible for OFFLINE
(i hadnt throught about what if the person DIDNT know they had bitlocker enabled, but you had meshagent installed! your tech guys would know the key if anything happened to say the bios goofing up and it then asking for the bitlocker key!)

[si458]

@Simon4711 im just fixing a bug with bitlocker which wasnt returning keys correctly if multiple drives,
then i remembered you had a problem because you use a german language
i then found this article about changing cmd language to english here
but weirdly enough, they even have notes saying german installs of windows 10 and up DONT INCLUDE ENGLISH AT ALL!!!
so i have included a checker for the word Kennwort and Numerisches Kennwort so fingers n toes it should work now for you!
so if you want you can pull the latest computer-identifiers.js file, replace it, restart meshcentral, wait about 2mins, then try again?

[si458]

input on this please people #5746