Remotely BitLocking

In a corporate IT environment is very common to use the BitLocker Drive Encryption technology to prevent data from being read in case of a stolen drive.

Remember that, if a unencrypted drive is stolen from a machine and connected to a foreign computer, most likely the attacker can get access to all the content of the drive regardless the fact that users logged with secure password.

The BDE techology encrypt the disk so it must first be decoded when connected to another machine before being able to read data from it.
Another feature of BDE is that you can lock it with a PIN that is asked to the user before Windows loads, so it acts as a sort of two-factor authentication. Strictly speaking, the two factors should not be two different things the user knows – in this case they are both passwords – but this is an additional security layer several companies like to add.

For IT Professionals it is a useful feature to be able to reset or change the PIN remotely.
Commonly it is thought that this must be done using a remote screen control, or some kind of remote execution tool, but in reality the BDE suite comes with a full set of command-line interfaces that have built-in remote capabilities.

In this specific case, changing the PIN remotely is simply as the following example:

C:\WINDOWS\system32>manage-bde -changepin c: -computername hostname

Where:

  • manage-bde -changepin
    is the main tool to command BDE, you can learn more at Manage-bde.exe Parameter Reference
  • c:
    is the drive letter you want to manage BDE of
  • -computername hostname
    the parameter indicating you want to operate on a remote machine which name is hostname

Result of this command will be

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Computer Name: hostname

Type the new PIN: ******
Confirm the new PIN by typing it again:******

where you need to enter and re-enter the new PIN for confirmation and finally

Your PIN has been successfully updated.

It is worth noting, even if this is quite obvious,  that this command must be entered by an elevated command prompt where you have administrative permission to the remote machine.

Advertisements