Unlock Bitlocked data drive as standard user on the command line

I have a Windows 10 Pro PC, no domain, I don't use BitLocker on the system drive but have encrypted some fixed data drives using BitLocker and a password (no TPM).

When I like to unlock these drives I can select them in File Explorer and choose Unlock Drive..., after entering my password the drive is decrypted and I can use it.

Because I have a few of these drives with the same password I wrote a script to unlock all them at the same time.

Unlock-BitLocker -MountPoint X: -Password $myPassword

This works fine when executed as an elevated administrator, but when I run the script as my normal standard user it fails:

Get-CimInstance : Access denied

WBEM_E_ACCESS_DENIED (0x80041003) Current user does not have permission to perform the action.

I assume both File Explorer and the PowerShell BitLocker module use the same Win32 API, why does one work as a standard user and the other one doesn't?

When using:

manage-bde –unlock E: -rp password

I get:

BitLocker Drive Encryption: Configuration Tool version 10.0.14393
ERROR: An attempt to access a required resource was denied.
Check that you have administrative rights on the computer.

Using Process Monitor, I can see access is denied to the following registry key:

HKLM\Software\Microsoft\WBEM\CIMOM

I also found out the File Explorer content menu calls the executable:

%systemroot%\System32\bdeunlock.exe

which displays the little popup window to enter the password.

When using bdeunlock.exe no access to HKLM\Software\Microsoft\WBEM\CIMOM is shown in Process Monitor. So it seems it unlocks the drive without accessing that key.

It looks that both the PowerShell cmdlets and manage-bde.exe use WMI:

Get-CimInstance
-Namespace "root\cimv2\Security\MicrosoftVolumeEncryption"
-ClassName Win32_EncryptableVolume

and a standard user does not have access to this.

But bdeunlock.exe may use the function FveOpenVolumeW in FVEAPI.dll (Bitlocker API file) directly without using WMI first.

Is there a way to unlock a Bitlocked fixed data drive on the command line as a standard user?

Peter Hahndorf

Posted 2016-09-22T14:27:46.270

Reputation: 10 677

The permission File Explorer and PowerShell command prompt, have by default are different, which is the reason your script isn't working While the end result of the explorer menu item, Unlock Drive, and the PowerShell commandlet Unlock-Bitlocker are the same how they go about doing it is different. – Ramhound – 2016-09-22T14:46:54.667

@Ramhound - I can see they're doing something different otherwise I wouldn't have this discrepancy. But I don't buy that they have different permissions, do you have any proof for that claim? – Peter Hahndorf – 2016-09-22T15:10:14.560

1My proof is my 20+ years of programming experience on Windows and understanding the default process permissions of both the PowerShell command prompt unles elevated and File Explorer and the exact nature of how that context menu works. I am not prepared to say, without a shadow of a doubt, it isn't possible to achieve what you want though. Which is the reason I have not submitted an answer saying, that what you want, is not possible. – Ramhound – 2016-09-22T15:12:39.977

Hmm, I’ve been programming on Windows NT for a bit longer than 20 years and this is the first time I hear that the permission of a shell context menu entry are different from a console app. I’m seriously curious why that would be. – Peter Hahndorf – 2016-09-22T15:20:22.190

That explaination would require more then 600 characters, likely around 1800 characters, and not something I am prepared to even attempt to do for another 48 hours. In a single sentence, its the difference between the PowerShell environment, and how the context menu interacts with manage-bde.exe – Ramhound – 2016-09-22T15:26:21.660

Verify that in an non-elevated command prompt that, manage-bde –unlock E: -rp password unlocks the mounted drive without elevated permissions. If the drive letter is X use that instead. – Ramhound – 2016-09-22T15:31:53.957

@Ramhound - Thanks for your input so far, I added more details to the question, the suggested command also results in an access denied. – Peter Hahndorf – 2016-09-22T15:56:16.590

@Homey_D_Clown_IT - Thanks, but what you suggest just changes the way I call Unlock-BitLocker but in the end it runs the same cmdlet, and it gives me the same Access Denied error. – Peter Hahndorf – 2016-09-25T08:37:00.533

@Homey_D_Clown_IT - That just starts the script elevated which works but is exactly what I don't want to do. The question is how to do this as a standard user. – Peter Hahndorf – 2016-09-25T08:49:16.547

Pete - How about if you grant the standard user or some group they are in explicit access to the WMI path as you found from wmimgmt.msc.... would that satisfy your need if that would work doing it this way to allow the standard / non-local admin the ability to run the non-elevated script for access to the root\cimv2\Security\MicrosoftVolumeEncryption namespace? Look here: https://technet.microsoft.com/en-us/library/cc771551(v=ws.11).aspx

– Pimp Juice IT – 2016-09-25T08:50:48.527

Look at this screen shot for what I'm talking about for granting the standard user account explicit permission via wmimgmt.msc https://i.imgur.com/7HT4Udi.png

– Pimp Juice IT – 2016-09-25T08:58:00.730

@Homey_D_Clown_IT - Giving execute methods permission on the WMI object got me over the first access denied error. But then I got the next one. I'm currently debugging the BitLocker PowerShell module, I'm getting an access denied on the second KeyProtector. – Peter Hahndorf – 2016-09-25T09:24:38.823

In the PowerShell BitLocker module, a standard user does not have access to the recovery password but to the normal password. So changing one line in the module now allows my standard user to unlock the drive. But of course this is not really an option. I could make a copy of that module and use it instead. And yes is not an option on my UAC prompt, I have to enter a long password as I am a standard user. But I see your point. I guess I will write an answer myself to explain all this. – Peter Hahndorf – 2016-09-25T09:46:09.960

You could run your script as a scheduled task for after your logon, running as administrator – harrymc – 2016-09-25T18:07:30.193

@harrymc - that may work, but I don't want an automated unlocking of the bitlocked drives, I still want the user to enter the password. If running as scheduled task, I would have to store the whole password somewhere like in the credential manager of the administrator. The administrator should not even know the password for the bitlocked drives. – Peter Hahndorf – 2016-09-25T20:51:38.197

@Homey_D_Clown_IT - If you want the bounty, write a quick answer about the WIM permissions. It helped me finding a solution. – Peter Hahndorf – 2016-09-29T12:17:44.073

Answers

Continuing my research I explained in the question itself, I further looked into this.

Using the PowerShell cmdlet Unlock-Bitlocker because its code is available in clear-text on every Windows machine.

The first error during the execution of the cmdlet happens while calling:

Get-CimInstance 
 -Namespace "root\cimv2\Security\MicrosoftVolumeEncryption" `
 -ClassName Win32_EncryptableVolume

I get an Access Denied

@Homey_D_Clown_IT suggested to change the security on the WIM object in question, to do that, open wmimgmt.msc, right click on the WMI Control (Local) node on the left and click Properties. Select the Security tab and then find the object Root\CIMV2\Security\MicrosoftVolumeEncryption, click the Security button. Add a group or user you want to allow unlocking the bitlocked drives. Check the Allow Execute Methods permission.

After this has been done, the standard user can use the manage-bde.exe tool to unlock the drive:

manage-bde -unlock X: -pw

the problem is, this prompts the user for the password and I have four drives to unlock at this time and I would prefer to enter the password only once.

Using the Unlock-Bitlocker cmdlet in PowerShell now gets passed the previous error, but displays another one:

Access Denied in Get-BitLockerVolumeInternal...

Looking into the code of the PowerShell module it breaks at a time where the code tries to access the recovery password which can only be done by an administrator. If I change the code to ignore that error and just continue rather than breaking, it works fine.

But this is a bad hack, because I had to take ownership of the module file, change permissions and then edit the code. All things I should not do with a Windows System file, plus the next time Microsoft updates that PowerShell module, my change will be overwritten.

One solution is to copy the relevant code pieces into my own PowerShell module and use that one instead. That may not even be legal.

Another solution is to remove the recoverypassword:

manage-bde -protectors -delete X: -type recoverypassword

This only leaves me with a single protector for the Bitlocked drive, the normal password.

Why it is a good idea to remove the recovery-password from a fixed data drive encrypted with BitLocker?

Any administrator can see the recovery password and use it to decrypt the drive, WFT!

My whole point was to protect the data on the drives from other people. Someone could steal my PC, boot into a live-CD linux and get access to an administrator account on my Windows installation.

After I removed the recovery passwords, I can use the original Unlock-Bitlocker cmdlet as a standard user to unlock my drives. I still needed to change the permissions on the WMI object as described above.

Edit: After a Windows 10 update, in this case to 14939.222 the permission on the root\cimv2\Security\MicrosoftVolumeEncryption were reset and I had to change them again. So this doesn't seem to be a permanent solution after all.

Because of this resetting by Windows Update, I decided to script the change for the WMI permission. I'm using Set-WmiNamespaceSecurity.ps1 which is available in this Microsoft Blog Post, then I can use:

.\Set-WmiNamespaceSecurity.ps1 -namespace "root/cimv2/Security/MicrosoftVolumeEncryption" -operation add -account MyUserName -permissions  MethodExecute,Enable

Peter Hahndorf

Posted 2016-09-22T14:27:46.270

Reputation: 10 677

You could grant the standard user or a security group they are a member of the explicit access to the WMI object per the path as you found from wmimgmt.msc.

This way you do not need to give the account local admin or elevated permissions, and they'd just have the exact and explicit access they need to the correlated WMI namespaces as needed and nothing further—minimum necessary permissions to perform the operation.

Instructions

Press +R, type in wmimgmt.msc and press Enter. Right-click on the WMI Control (Local) option to the left, and then select Properties.

Go the Security tab from the properties windows and then expand the Root to namespace to the specific WMI namespace object(s) you need to grant the access to explicitly.

Once you have the applicable WMI Namespace object highlighted, from there you will select the Security option from the lower right-hand side of the properties windows and add in the user account or security groups accordingly, and also grant and set the applicable permissions as needed.

Screen Shot Example

Further Resources

Authorize WMI users and set permissions

Pimp Juice IT

Posted 2016-09-22T14:27:46.270

Reputation: 29 425

After doing this a standard user can use manage-bde -unlock X: -pw to unlock a drive. As this helped me finding the accepted answer, I award the bounty to this answer. – Peter Hahndorf – 2016-09-29T14:22:07.880

This change only persists until the next Windows update, I explained how to script this change in my answer. – Peter Hahndorf – 2016-10-03T07:42:47.150

In view of the above discussion, I can see two solutions :

Write a C/C++/C# program that does the mounts by using the APIs that you found
Write scripts (that need admin permission).

For the second point, I can see one (somewhat cumbersome) method for a standard user to launch a script as admin, assuming that you do have access to the admin account but do not want to use it for everyday use.

The idea is to use a scheduled task that will execute repeatedly as admin every minute after logon and will check for the presence of a file that will contain the BitLocker key, and only act if the file exists. Such a trigger will not use too many resources and will not slow down the computer.

The discussion below uses DOS command syntax, but if needed, PowerShell has similar functionality.

If the key-containing file is in /path/to/keyfile.txt, the scheduled task trigger for unlocking will be similar to this .bat script :

if exists "/path/to/keyfile.txt" (
  type "/path/to/keyfile.txt" | your-unlock-command-1
  type "/path/to/keyfile.txt" | your-unlock-command-2
  del "/path/to/keyfile.txt"
)

To start the trigger, create the file via another script that will run under a standard user account :

set /P key=Enter key:
if %key% neq '' echo %key% > "/path/to/keyfile.txt"

Details on these DOS commands can be found in the article :
An A-Z Index of the Windows CMD command line

harrymc

Posted 2016-09-22T14:27:46.270

Reputation: 306 093

I'm afraid you can't do this with running script as yourself, unless you completely disable UAC on your computer. However, if your question is related to simplify usage of your script I found a solution some time ago and I'm using it every single time when I need to run scripts with elevated permissions.

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 
{   
    $arguments = $myInvocation.mycommand.definition
    Start-Process powershell -Verb runAs -ArgumentList $arguments
    Break 
}

After inserting this code on the beginning of a script it will automatically rerun script with elevated permissions, passing again all its arguments to new "elevated instance".

hagier

Posted 2016-09-22T14:27:46.270

Reputation: 197

I looked into the process using Process Monitor to find out what Windows Explorer exactly does when selecting "Unlock Drive" in the Gui. It happens to launch bdeunlock.exe followed by the drive letter. This appears to be an app that prompts for the password. This works using standard user permissions.

Jo Jacobs

Posted 2016-09-22T14:27:46.270

Reputation: 1

I already mentioned bdeunlock.exe in my question. It has a GUI, I don't want a GUI. – Peter Hahndorf – 2018-05-18T16:24:45.433