Resolving the CrowdStrike issue required only booting the computer from WinRE or WinPE to delete the faulty driver. This can be automated with a simple batch file on a USB stick.
However, if the system drive is encrypted with BitLocker, it must first be unlocked with the 48-digit recovery password. The most time-consuming part of this process is retrieving and entering the key from Active Directory.
Copying recovery passwords to a USB stick
To streamline the process, export the passwords from Active Directory to a CSV file and transfer them to a bootable WinPE USB stick. Ensure the USB drive includes the necessary PowerShell packages to execute a script for unlocking the system drive.
Ensuring this drive does not fall into the wrong hands is crucial. Furthermore, it is recommended to regenerate the recovery keys after each use.
Extracting passwords and GUIDs
Using PowerShell, authorized users can effortlessly retrieve recovery keys from a computer object's msFVE-RecoveryInformation attribute. Each key is associated with a unique ID (GUID). Exporting these GUIDs is crucial, as they assist in identifying the correct password for the specific computer during the unlocking process.
The following script exports the recovery passwords of all computers from Active Directory into a file named BitLocker-PW.csv:
Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -properties * |
select @{n="GUID";e={[System.Guid]::new($_.'msFVE-RecoveryGuid')}}, `
@{n="Password";e={$_.'msFVE-RecoveryPassword'}} |
Export-Csv -NoTypeInformation -Path BitLocker-PW.csv -Encoding ASCII
Export recovery passwords, including GUID from the AD
If necessary, you can easily restrict the query to an OU, such as Sales, in this example:
Get-ADObject -SearchBase "OU=sales, DC=contoso, DC=com" `
-Filter {objectclass -eq 'msFVE-RecoveryInformation'} -properties *
Provision unlock PowerShell script
On the WinPE drive, you will need a script that identifies the required GUID for the recovery key, extracts the latter from the CSV file, and uses it to unlock the C: drive.
The GUID can be found using the following command:
manage-bde -protectors c: -get -Type RecoveryPassword
The GUID is buried in a lengthy output and needs to be extracted and cleaned using a regular expression.
Query the GUID for a password using manage-bde
Here is the full PowerShell script to unlock the BitLocker-encrypted drive:
#Retrieve GUID
$blid = manage-bde -protectors c: -get -Type RecoveryPassword | Select-String "ID:.*?}" |
foreach{ $_.matches.value }
$blid = $blid.Replace("ID: {","").Trim("}")
# Look up the password using the GUID in the CSV file
$RecPW = Import-Csv -Path .\BitLocker-PW.csv
$RecKey = $RecPW | Where-Object GUID -eq $blid
# Unlock drive
manage-bde.exe -unlock c: -RecoveryPassword $RecKey.Password
Unlock drive C from Windows PE via script
Once the C: drive is unlocked from a Windows PE environment, you can enhance the script with additional commands, such as removing a faulty driver, as demonstrated in the CrowdStrike example.
Conclusion
BitLocker can become an obstacle when an update or faulty program causes widespread issues, rendering numerous computers unusable and requiring manual intervention.
扫一扫
1040
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
