Bitlocker - Windows 10 - Admin Account - How to

[JoK]

Hi,

I used to have a laptop from my company and, as you know, my user profile did not allow me to install apps as I was not the admin. I had managed to many my user an administrator and I was happy with it.

Now, my company gave me a new machine (Acer Spin 3) and I want to do the same. Unfortunately, the hard drive is encrypted by bitlocker and as you can imagine I do not know the key.

My main goal is to make my user an administrator of the machine only.

I have tried to boot with Sergei Strelec's boot image but I can not access the encrypted drive.

Does anyone have any idea how to achieve what I want to do?

Thanks

 

[pendragon1]

not that i know of and that is the point. it is the company's machine after all...

 

[JoK]

not that i know of and that is the point. it is the company's machine after all...

Yes, I know and I know. The only thing I want to do is to install a different email client and cloud storage app.

I thought of taking an image of the drive using macrium and then restoring it on a VMWare virtual machine.

Would that transfer the encryption as well? I woudl have thought so if macrium uses byte-to-byte copying mechanism.

 

[pendragon1]

ive run into it before where you have to feed the key to unlock the clone. have you ever asked them to vet the apps you want? we have a process to access "unsupported" apps, where you get approval but dont expect any help with it.

 

[JoK]

ive run into it before where you have to feed the key to unlock the clone.

I see. Well, I shouldn't complain though. That's what an encryption scheme should do

have you ever asked them to vet the apps you want? we have a process to access "unsupported" apps, where you get approval but dont expect any help with it.

Yes, they said they do not support them so they do not install them on any machine although I explained that I do not need any support.

 

[pendragon1]

probably not much you can do then and yeah its working the way its intended, unfortunately. at least to my knowledge, someone might correct me...

 

[Kardonxt]

I don't think the bitlocker key can be accessed without admin privileges. You can pull the key from command prompt using the command "manage-bde -protectors C: -get" but I just tried it and it won't complete without admin privilege.

I can think of one sneaky option in this case but can't bring myself to post it being a system admin . I will say even if you get the bitlocker key most 3rd party utilities don't offer any options to decrypt the drive or access it with your key anyways.

 

[JoK]

I don't think the bitlocker key can be accessed without admin privileges. You can pull the key from command prompt using the command "manage-bde -protectors C: -get" but I just tried it and it won't complete without admin privilege.

I can think of one sneaky option in this case but can't bring myself to post it being a system admin . I will say even if you get the bitlocker key most 3rd party utilities don't offer any options to decrypt the drive or access it with your key anyways.

Hey hi. I've go the numeric password ID. Not sure what to do with it now. When I try to unlock bitlocker from command line, it says that the password is not correct

 

[Kardonxt]

Hey hi. I've go the numeric password ID. Not sure what to do with it now. When I try to unlock bitlocker from command line, it says that the password is not correct

Assuming you are doing this via cmd make sure you are using the -recoverypassword flag and not the -password flag

 

[JoK]

Assuming you are doing this via cmd make sure you are using the -recoverypassword flag and not the -password flag

I try: "manage-bde -unlock C: -RecoveryPassord" and it says "parameter recovery password requires an argument". I checks the internet and I need to prive a .bek file?

 

[Kardonxt]

I try: "manage-bde -unlock C: -RecoveryPassord" and it says "parameter recovery password requires an argument". I checks the internet and I need to prive a .bek file?

you need to enter the recover key after the -RecoveryPassword flag

 

[JoK]

you need to enter the recover key after the -RecoveryPassword flag

Hmmm..it says the password failed to unlock the drive

 

[pendragon1]

try turning it off by right clicking on the drive and feedin it that key.

 

[chameleoneel]

Yes, they said they do not support them so they do not install them on any machine although I explained that I do not need any support.

Yeah, you aren't supposed to be installing whatever you want, on a company laptop. You use what they approve. The end.

Trying to install a different cloud storage is a gigantic red flag.

close this thread

 

[JoK]

Yeah, you aren't supposed to be installing whatever you want, on a company laptop. You use what they approve. The end.

Trying to install a different cloud storage is a gigantic red flag.

Whereas OneDrive is not...

close this thread

The thread is not about cloud storage, you know.

 

[MrGuvernment]

I see. Well, I shouldn't complain though. That's what an encryption scheme should do

Yes, they said they do not support them so they do not install them on any machine although I explained that I do not need any support.

It is not about support so much as being and approve and vetted application. If they let you install the apps "you" want, they could cause issues for other apps or the system, and now they have to support the entire system.
There is a reason companies lock down devices and have approved software lists, it makes life easier for the support teams and I am happy to see a company finally doing it right vs most "everyone gets local admin!"

It also lowers cyber exposure. So, as an IT person I ask that you do NOT try to circumvent your companies policies and cyber security in place to protect the company, because you want to use some other app.

OneDrive is what they have, and for all you know, they have an entire MS Sentinel security config behind it monitoring, auditing and other controls in place. So Yes, it is more secure than Dropbox or google drive in an enterprise when properly configured.

 

[JoK]

It is not about support so much as being and approve and vetted application. If they let you install the apps "you" want, they could cause issues for other apps or the system, and now they have to support the entire system.
There is a reason companies lock down devices and have approved software lists, it makes life easier for the support teams and I am happy to see a company finally doing it right vs most "everyone gets local admin!"

It also lowers cyber exposure. So, as an IT person I ask that you do NOT try to circumvent your companies policies and cyber security in place to protect the company, because you want to use some other app.

OneDrive is what they have, and for all you know, they have an entire MS Sentinel security config behind it monitoring, auditing and other controls in place. So Yes, it is more secure than Dropbox or google drive in an enterprise when properly configured.

So, to be clear I completely understand the reasons of this. No need to convince me although I do not agree with the reasoning.

For example, the rationale you present is about what is easier for the support teams when it should be about what is best for the employees and users. Shouldn't the support team "support" people to use whatever tools people think are best for them and allow them to do their job more efficiently and more productively?

Anyway, long discussion outside of the scope of this thread.

 

[pendragon1]

So, to be clear I completely understand the reasons of this. No need to convince me although I do not agree with the reasoning.

For example, the rationale you present is about what is easier for the support teams when it should be about what is best for the employees and users. Shouldn't the support team "support" people to use whatever tools people think are best for them and allow them to do their job more efficiently and more productively?

Anyway, long discussion outside of the scope of this thread.

to an extent but when that person with the only copy of an app starts taking up hours of extra time to support that app it takes away from supporting other employees. just like at my work....

 

[chameleoneel]

So, to be clear I completely understand the reasons of this. No need to convince me although I do not agree with the reasoning.

For example, the rationale you present is about what is easier for the support teams when it should be about what is best for the employees and users. Shouldn't the support team "support" people to use whatever tools people think are best for them and allow them to do their job more efficiently and more productively?

Anyway, long discussion outside of the scope of this thread.

No. For multiple reasons. Here are 2:

1. Often, the apps being used at a company, are not simply what the everyday IT staff likes or thinks is easiest to use or support. The software selection comes from much higher up the chain and a lot of that stuff isn't necessarily the easiest to use/support, etc. Easiest-to-use is not usually a main focus.

2. But, one of the big ones here is: you can't put company data wherever you want. Nobody can put company data wherever they want. Trying to gain the encryption key of your company laptop (or circumvent the encryption), so that you can sideload tools to potentially incease the priviledges of your account, install alternate cloud storage, etc: is highly dubious, at best.

 

[MrGuvernment]

So, to be clear I completely understand the reasons of this. No need to convince me although I do not agree with the reasoning.

For example, the rationale you present is about what is easier for the support teams when it should be about what is best for the employees and users. Shouldn't the support team "support" people to use whatever tools people think are best for them and allow them to do their job more efficiently and more productively?

Anyway, long discussion outside of the scope of this thread.

As noted, to a point, but wanting to use say Dropbox over OneDrive, that is just a matter of employee's getting used to another app and considerations about company data, security and governance. There also comes in costs, licenses, business use vs personal, a whole heap of other considerations around software and what even it can even be used in (many open source can be used for personal usage free, but as soon as it is used for work = need to pay!)
As for other apps, always can be exceptions, if the app is unique and the role requires it should be easy to justify it to your boss to get it approved for use.

If it is more like "i want photoshop cause I am used it to for pasting screen shots" sorry, you can get use to paint, or gimp for that or what ever the company chooses.

So have you asked your boss and explained why you need said software installed? If so, what did they say? If you have not even asked and are simply trying to get around security policies in the company, in place for a reason, personally I would fire you on the spot because you are a liability to the companies infra and data.

 

[JoK]

No. For multiple reasons. Here are 2:

1. Often, the apps being used at a company, are not simply what the everyday IT staff likes or thinks is easiest to use or support. The software selection comes from much higher up the chain and a lot of that stuff isn't necessarily the easiest to use/support, etc. Easiest-to-use is not usually a main focus.

True; but who makes the software selection does not negate the point that any selection should help people do their jobs better and more efficiently. I do understand though that some systems ae very complicated.

Here I am talking about an email client and a cloud storage with local access.

2. But, one of the big ones here is: you can't put company data wherever you want. Nobody can put company data wherever they want.

Absolutely. But practice proves that this is not what happens and the tools provided by IT imply that, in most cases, employees can store company's data (some at least) wherever they want. Say for example, that my company supports OneDrive only and the policy says that I can only use OneDrive on company's laptop. I can then easily connect OneDrive on my personal PC to my company's account. Is this a violation of the policy?

The most annoying of all policies is that many companies do not allow third party desktop email clients to connect to email accounts or to forward the messages to another account. It creates such a mess with multiple browser tabs, confused cookies, etc.

And, before you say that I should not have professional emails on my personal PC, I can very easily open a web browser and download all messages. Am I going to violate the IT policy?

Trying to gain the encryption key of your company laptop (or circumvent the encryption), so that you can sideload tools to potentially incease the priviledges of your account, install alternate cloud storage, etc: is highly dubious, at best.

You got this wrong. The apps I want to install do not alter any permissions of my account across the network or in Active Directory. I do take the point though that because I say it, it does not mean that the company should trust me.

But hey, if the CEO said it....

 

[JoK]

As noted, to a point, but wanting to use say Dropbox over OneDrive, that is just a matter of employee's getting used to another app and considerations about company data, security and governance.

Not necessarily. Until recently, OneDrive could sync only specific folders. You couldn't store the cloud data in any folder you wanted.

There also comes in costs, licenses, business use vs personal, a whole heap of other considerations around software and what even it can even be used in (many open source can be used for personal usage free, but as soon as it is used for work = need to pay!)
As for other apps, always can be exceptions, if the app is unique and the role requires it should be easy to justify it to your boss to get it approved for use.

In my case, I pay for the license of what I want to install

If it is more like "i want photoshop cause I am used it to for pasting screen shots" sorry, you can get use to paint, or gimp for that or what ever the company chooses.

No, it is not. I am not talking about such trivial examples.

So have you asked your boss and explained why you need said software installed? If so, what did they say?

They said no.

If you have not even asked and are simply trying to get around security policies in the company, in place for a reason, personally I would fire you on the spot because you are a liability to the companies infra and data.

Hmmm...it would be helpful before you fire anyone to evaluate the level of the risk they pose.

I am pretty sure you know very well that IT staff violate their own policies everyday. If you are a hardliner, small or huge violation wouldn't matter to you.

To clarify--I am not promoting violating organisational policies.

 

[MrGuvernment]

To clarify--I am not promoting violating organisational policies.

My main goal is to make my user an administrator of the machine only.

I have tried to boot with Sergei Strelec's boot image but I can not access the encrypted drive.

Perhaps I should ask this, did your company provide at any time during your employment apolicy for usage of company assets and systems and how to access data and such? Because if they have not provided any form of policy to you whether via email / internal system or even verbally, then sure, go nuts, cause they have not directly said "you should not do ABC/ XYZ with company assets and systems". If they do not give you "local admin" rights, there is a reason for it.

If you are not violating policies, go explain to your boss and IT what you are trying to do, and see what their response is. If they said no, what was the reason they provided? How did you explain to them why you need it vs the tools they have provided, perhaps you just were not effective enough at justifying it.

if you were told no to local admin, you are directly trying to get around company security that is put in place. It is that simple.

I have had to do this myself and been turned down requesting software. I wanted TechSmith Snagit for doing arc design docs, client said no, use sniping tool....even after I showed them how much more effective Snagit was.... Oh well, cost them more in the end as I am a billable resource, about a week more..

When I have found a workaround at a client, I report it to their Cyber Security team (if they have one) or whom ever I am working under and document it out, and they love me for it. I am inquisitive by nature and also follow Cyb. Sec. very closely, so I dig and find things for clients (which can then also translate into future work for them).

Not necessarily. Until recently, OneDrive could sync only specific folders. You couldn't store the cloud data in any folder you wanted.

Correct, Desktop, Documents and Pictures are the 3 folders that OneDrive will auto sync and convert for you when configuring it, otherwise, you can just create your own folders in OneDrive and use desktop shortcuts or change the "location" of a folder into one in OneDrive where the folder is on your local system (C:\Users\[youraccount]\OneDrive default)

If a company properly configures their M365 tenant, you can lock it down to only company devices so no personal devices can be used (InTune / Azure AD et cetera), and yes, if your company specifically says "do not use personal devices for company data" even if they do not directly block it, and you use a personal device, you are violating company policy.
There are many ways to control data, local shares, network shares and everything in between to limit where data is stored. This allows audits and backups to be far easier than wondering where did Joe Blow have all those files on their laptop when we had to redo it, oh, they were saving everything under C:\temp .. (Yes, I had an old CEO who saved every dam word doc and excel file under C:\temp folder...learned that the hard way when I had to redo their device in an emergency when they claimed it was all under their doc's folder.) Or users who do not save things to network drives, their device dies and then they cry about losing all their work.....%$#%$#$%

Plenty of I.T people break company policies, and they should also be sternly warned, or even fired pending on the risk, if they are using short cuts that can endanger the companies data and assets and infra, it is that black and white. When a company defines is security and governance policies, for ones that actually do, they are applicable to all staff. There can be variances of those policies between departments, based on roles and work that needs to be done sure, but often the base of all policies are the same and apply to everyone, even C Level.

But we know the reality, most companies have almost no security, let alone data governance policies. Heck, most companies don't even have proper inventory of all their assets! (I deal with several!) to know where their risk is.

True; but who makes the software selection does not negate the point that any selection should help people do their jobs better and more efficiently. I do understand though that some systems ae very complicated.

Here I am talking about an email client and a cloud storage with local access.

What is wrong with the email client they have approved for use?

And what do you need to use "your" cloud storage app vs what the company approves? How does that change how effectively you can do your job? How does Dropbox, or AWS, or iCloud differ so much from OneDrive, that you feel you are hindered?

This seems more like personal preference vs efficiency. Thunderbird is a great mail client for example, but I have to use Outlook for most clients systems they give me, oh well, not a huge difference to prevent me from work effectivly. Now if we were talking about them forcing someone to use GIMP vs actual photoshop for their job as a graphics designer, ya, quit that company right away.

[EDIT] Just as a note, I do agree completely that I.T is there to support the company and the employees. I.T should never be dictating what applications a department can or can not use. That is up to the managers of said department(s) and higher ups (I.T Directors / Managers / CISO et cetera). The only time I.T would have any impact on such decisions is if they can provide reasons, usually around security, that software could not be used, or if supporting / Licensing et cetera becomes complex. I.T people like to be in control, and they do push their preferences on people, thinking they know better than the avg joe, and sure, from a technical aspect, we often do, but again, we are not there to tell people to use 7zip over Winrar or something. We are there to support the company in keeping it running as effective as it can, but also as safe and reliable as well.

 

[OpenSource Ghost]

Many companies do not have even IT policies. They may be too small or too busy or too incompetent. I would just ask actual admins for temporary admin permission or have them personally come and resolve your issue or do it remotely. Another place to look for a key is your Microsoft account. It gets uploaded there without asking user for permission... BitLocker has to be configured to actually be a proper encryption system that doesn't upload keys to Microsoft and doesn't allow to be bypassed for some maintrenance operations.

Be very careful with cloud services! Sometimes companies deal with data, such as PHI (Protected Health Information), that requires specific business agreements and contracts before such data can be uploaded to whichever cloud services. If such agreements are not made, it is unlawful to upload such data to cloud services. For example, use of OneDrive is only HIPAA-compliant if company enters a special HIPAA agreement with Microsoft. If a company is a covered entity or business associate of one and must comply with HIPAA law, but doesn't enter a special agreement with Microsoft, then uploading PHI by such a company to OneDrive violates HIPAA law. This is just one of many examples.

 

[Algrim]

If your company is really strict about security they likely have an application block at the network level meaning even if you can install the product locally it may not work anyway. The company I work for used to use Fortinet firewall to block out applications not blessed by IT.

 

[JoK]

Correct, Desktop, Documents and Pictures are the 3 folders that OneDrive will auto sync and convert for you when configuring it, otherwise, you can just create your own folders in OneDrive and use desktop shortcuts or change the "location" of a folder into one in OneDrive where the folder is on your local system (C:\Users\[youraccount]\OneDrive default)

How can I do this? Can you explain please?

Plenty of I.T people break company policies, and they should also be sternly warned, or even fired pending on the risk, if they are using short cuts that can endanger the companies data and assets and infra, it is that black and white. When a company defines is security and governance policies, for ones that actually do, they are applicable to all staff. There can be variances of those policies between departments, based on roles and work that needs to be done sure, but often the base of all policies are the same and apply to everyone, even C Level.

But we know the reality, most companies have almost no security, let alone data governance policies. Heck, most companies don't even have proper inventory of all their assets! (I deal with several!) to know where their risk is.

I have another story to tell here. My department has bought a piece of software for me to do my job. I emailed helpdesk to ask them to install it on my company's PC. They replied that I can visit the IT helpdesk and they will do it for me.

So, when I went there, I verbally explained to them all this and they proceeded with the installation. What I found astounding is that there were two IT people who I was talking to and none of them checked my claims. They just said: "Ah, OK. We can do this".

I found this behaviour very risky for the company.

[EDIT] Just as a note, I do agree completely that I.T is there to support the company and the employees. I.T should never be dictating what applications a department can or can not use. That is up to the managers of said department(s) and higher ups (I.T Directors / Managers / CISO et cetera). The only time I.T would have any impact on such decisions is if they can provide reasons, usually around security, that software could not be used, or if supporting / Licensing et cetera becomes complex. I.T people like to be in control, and they do push their preferences on people, thinking they know better than the avg joe, and sure, from a technical aspect, we often do, but again, we are not there to tell people to use 7zip over Winrar or something. We are there to support the company in keeping it running as effective as it can, but also as safe and reliable as well.

Yes, this.

Many companies do not have even IT policies. They may be too small or too busy or too incompetent. I would just ask actual admins for temporary admin permission or have them personally come and resolve your issue or do it remotely. Another place to look for a key is your Microsoft account. It gets uploaded there without asking user for permission... BitLocker has to be configured to actually be a proper encryption system that doesn't upload keys to Microsoft and doesn't allow to be bypassed for some maintrenance operations.

Thanks, I will check.

Be very careful with cloud services! Sometimes companies deal with data, such as PHI (Protected Health Information), that requires specific business agreements and contracts before such data can be uploaded to whichever cloud services. If such agreements are not made, it is unlawful to upload such data to cloud services. For example, use of OneDrive is only HIPAA-compliant if company enters a special HIPAA agreement with Microsoft. If a company is a covered entity or business associate of one and must comply with HIPAA law, but doesn't enter a special agreement with Microsoft, then uploading PHI by such a company to OneDrive violates HIPAA law. This is just one of many examples.

I didn't know this. Thanks for sharing.

You know, I find scary that all data we use is stored in MS servers. Noone from the decision makers realise that my company does not really own any of our data. If MS one morning decides that we violated a tick or a line of the contract, we can be locked out for hours/days/whatever.

That is actually another reason I want to use my own cloud service (i.e., from another provider). If the company one day says I am locked out of the system, I will not have access to my data (--and, before you ask I mean MY data not company's data). I want to sync my files on my personal PC but I do not want to setup my company's MS account on it to allow for the synchronisation.

If your company is really strict about security they likely have an application block at the network level meaning even if you can install the product locally it may not work anyway. The company I work for used to use Fortinet firewall to block out applications not blessed by IT.

No they are not and they don'y

Anyway, the time and effort to find a workaround did not justify the outcome so in the end I went with company's services.