Powershell to pull BitLocker Encryption status

Similar Messages

• Problems with Comodo Kill Switch, Windows Services & Bitlocker Encryption on Asus N56VZ

  Hi All,
  So recently I found myself stuck in a different scenario than before, and after many hours researching and efforts to fix this I still find myself stuck  yet with a few options still to fix.
  What is the problem?
  So as a security cautious user when i first got to Windows 8.1 Pro 64Bit I encrypted both the C and D drive (Split the main disk) to protect myself and my family. Unfortunately that has not been very helpful with the way in which booting and running from
  either external USB devices or CD/DVD works, not allowing myself to at all.
  My usual security suit I  use is Comodo Internet Security, which additionally comes with Comodo Kill Switch. Whilst using the application instead of stopping one of the TCP connections I was meant to I accidently stopped an Windows Explorer connection.
  For some reason since then Windows Explorer, nor most windows apps or services themselves will run. For example msconfig will run but sfc /scannow or mmc will not, whether in safe mode or normal mode.
  What Caused the Problem?
  Cannot 100% say
  What I Think Caused the Problem?
  Myself running Comodo Kill Switch stopping a vital server connection with Windows Explorer that messed up alot. Or a potential Virus unknown how cannot fully scan system as wont boot externally or run many apps.
  Additional Info
  Asus Webcam is Disabled on Purpose
  Laptop was fully customized to run latest games full graphics minus Anti Aliasing, works with Evolve + CoD Advanced Warfare
  Laptop does not boot if USB Keyboard plugged in, works with everything else normal (had this on other systems no problem for me)
  Ask me for more info if required to add here, braindead again
  Specifications of my system
  Intel® Core™ i7 3610QM Processor
  Windows 8.1 Pro 64Bit
  Intel® HM76 Chipset
  DDR3 1600 MHz SDRAM, 2 x SO-DIMM 8GB
  15.6" HD (1366x768)/Full HD (1920x1080)/Wide View Angle LED Backlight
  NVIDIA® GeForce® GT 650M with 2GB DDR3 VRAM
  1TB 5400RPM OR 750GB 5400/7200RPM (Cannot remember off top of head, braindead)
  Super-Multi DVD 
  Kensington lock (Security Feature)
  LoJack (Security Feature)
  BIOS Booting User Password Protection (Security Feature)
  HDD User Password Protection and Security (Security Feature)
  Pre-OS Authentication by programmable key code (Security Feature)
  What Can Run and Won't Run?
  ON BOOT:
  Bitlocker Encryption Password & Advanced Settings are accessible
  Bios (password protected) is accessible
  Windows Recovery Mode is accessible (Think it is F9 or F10)
  Windows Logon Password Screen is accessible
  ON NORMAL/SAFE-MODE START UP:
  After Log-In Windows Explorer will not run
  Task Manager will run, also allows me to browse the files when trying to start new task
  Can run Command prompt
  Cannot run any control panel items
  Cannot run services.msc
  Cannot run mmc
  Cannot run sfc
  Every time it metions windows drive is locked
  Start Error's when running certain applications (Will post codes soon)
  Rufus USB Tool does run
  Cannot boot Kali Linux off USB
  Cannot boot Windows 8.1 off USB
  Cannot boot Windows 8.1 off DVDRW
  Fixwin2 will not run
  Apps either work or don't whether in safe mode or normal
  Cannot use Windows Installer
  What Fixes I Have Tried So Far
  Ok so like any normal user I don't want to lose my files. So here are what I have tried so far:
  Repair MBR (Repair Completed, No Luck)
  SFC /SCANNOW (Returns Error 'Windows Resource Protection could not start the repair service')
  Tried sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows (Could not access drive)
  Fixwin2 (Will not run in either normal or safe mode)
  Booting using Windows 8.1 via USB (Cannot boot from extermal devices due to Bitlocker Encryption)
  Booting using Kali Linux Via DVD & USB (Cannot boot from external devices due to Bitlocker Encrytption)
  How do I know it is because of Bitlocker, because last time I disabled it, I could run from external devices
  Tried to run bitlocker to change settings (Will not run)
  Have used both password and recovery keys to unlock driver, they work but when applications are running on windows the drive is still locked?
  Tried windows Automatic Diagnostic and Repair (Could not repair anything, did make a log I am still to extract from the syste)
  There are No System Restore Points
  I'm sure there is much more information I could post however I will leave it on an ask to know basis, apart from the log files and further information to gather. Below is my list of trial and error fixes to try for today (need more ideas and help please!):
  Hiren's 15.2 Boot CD via DVD (NOT ABLE TO BOOT)
  Hiren's 15.2 Boot CD via USB (NOT ABLE TO BOOT)
  Research into the Bios and Possible Update in-case of implementation of Virus, can access flash utility (STILL NOT TESTED)
  Try and get a portable version or a working version of windows installer to try and re-install Comodo Internet Security (STILL NOT TESTED)
  Another way to disable Bitlocker
  Anti-Malware / Anti-Virus Scan If Possible to Run One
  Bitlocker Repair Tool, will try this also
  I have posted this as have not found much info online, usually find it and crack on but this time things are a little more tricky, my priority task I really need to do is remove the Bitlocker Encryption, but if the application will not run... what do I do
  then?
  Thanks for your time reading all, Sorry for any poor formatting or spelling.
  Update 1: MMC.exe Error Code
  Ok so now have the computer in safe mode, still same as before, no explorer.exe, no services etc... Just went into the Task Manager > Services (Tab) > Open Services (Option at bottom)
  This is the error I get:
  'The Instruction at 0x785a746c referenced memory at 0x000000a8. The memory could not be read.
  Any Ideas on what this error is and why?
  Update 2: CHKDSK Works with no Fix
  Update 3: Hiren's 15.2 Boot CD - USB Boot still no luck booting around Bitlocker Encryption
  Just to explain again, I already have unlocked the drive with correct bitlocker password or recovery key yet the drive remains locked not allowing windows refresh of files of complete install from the windows recovery menu as keeps saying drive is locked

  Ok so attempt number two to write this update via bloody phone! (Just refreshed page whilst writing!)
  Update 4:
  Problem - cannot run from bootable devices (DVD/USB)
  Cause - bitlocker fully encrypted drive stops this working
  Repair - Boot up holding F9 to enter windows recovery Input Bitlocker recovery keys to unlock drives
  Navigate to Command Prompt in advanced settings Execute following code:
  Repair-bde c: d: -rp 000111-222333-444555-etc...
  (Code found from https://technet.microsoft.com/en-us/library/ee523219%28v=ws.10%29.aspx)
  Note for those using this: It is common while unlocking certain drives to get errors such as: Quote from http://www.benjaminathawes.com/2013/03/17/resolving-partial-encryption-problems-with-bitlocker/
  "LOG INFO: 0x0000002aValid metadata at offset 8832512000 found at scan level
  1.LOG INFO: 0x0000002b Successfully created repair context.
  LOG ERROR: 0xc0000037 Failed to read sector at offset 9211592704.
  (0×00000017) LOG ERROR: 0xc0000037 Failed to read sector at offset 9211593216.
  (0×00000017) …followed by around 20 similar entries that differed only by the offset value"
  Repair Status for Update 4: COMPLETED - However over wrote D drive data so now need to recover that
  Problem 2 - windows services corrupted along with windows files
  Cause - Unknown
  Repair - wait until system is fully decrypted Once fully decrypted ensure boot from USB/DVD
  Re-do fixes that would not work before if this has fixed boot issue Confirm fix / update post Hope anything I put here helps others also

• 0x803d0013 Error occured sending encryption status (A fault was received from the remote endpoint)

  Alright, I am stumped. I have looked at nearly every article on this error here at Technet and other sites:
  An error occurred while sending encryption status data.
  Error code:
  0x803d0013 
  Details:
  A message containing a fault was received from the remote endpoint.
  First, I am testing this. I have copied the MDOP ADMX/ADML files directly to the client I am testing this on, and I am applying the policy via the Group Policy Management on the local machine. I am not deploying this via the domain. I wouldn't think that
  would make a difference, but please let me know if I am wrong.
  I have performed the following:
  1. (DisableMachineVerification)
  in MBAM registry as
  is in this article  http://support.microsoft.com/kb/2612822
  2.  On the MDOP group policy I have enabled: 
        I. Client Management
            A. Configure MBAM Services
            B. Configure user exemption policy
       II. Fixed Drive
            A. Fixed data drive encryption settings
            B. Choose how BitLocker-protected fixed drives can be recovered
       III. Operating System Drive
            A. Operating system drive encryption settings
            B. Choose how BitLocker-protected operating system drives can be recovered
       IV. Removable Drive
            A. Control use of BitLocker on removable drives
  3.
  On the MBAM Administration Server AD object, enable the “Trust for delegation for any service (Kerberos Only) option”, under the Delegation tab. Also,
  the user has been granted delegation privileges for all of the services on the server.
  4. SPN Records have been created for the server
  5. HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
  Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 
  Create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
  Also, I did not encrypt my drive with MBAM. It was encrypted before hand. Is there anything I can check or do? The event logs on the MBAM server under MBAM-Web don't show anything under Admin or Operational.
  I think my KeyRecoveryServiceEndPoint and StatusReportingServiceEndpoint URLs are correct:
  https://mbam01.domainname.com:443/MBAMRecoveryAndHardwareService/CoreService.svc
  https://mbam01.domainname.com:443/MBAMComplianceStatusService/StatusReportingService.svc
  I even think there was a registry key to make the hardware compatible, but I don't remember which key it was, as I uninstalled and reinstalled, and don't remember where I found that on the forums.
  Any suggestions?

  If you have made changes to the web.config files to accommodate the SSL settings, you will not be able to browse the URLs with the http protocols. The URLs will then only work with the https protocols.
  Could you please confirm the login created for the particular local groups with the following permission:-
  For MBAM Compliance Auditing DB Access:-
  User Mapping – MBAM Compliance Status
  DB Role Membership – ComplianceWriteRole
  Server Roles – Public
  For MBAM
  Recovery and Hardware DB access:-
  User Mapping – MBAM Recovery and Hardware
  DB Role Membership – RecoveryandHardwareReadRole, RecoveryandHardwareWriteRole
  Server Roles – Public
  Make sure the MBAM Computer account (MBAM Web Server) is a member of these two groups.
  Gaurav Ranjan

• BitLocker Encryption ToGo; Decryption Issue.

  I currently have a USB drive that has been partially encrypted with BitLocker Encryption, but will not allow me to unlock it. I have looked for many resources on solving this issue, but have decided to post my details.
  I am running Windows 7 Enterprise. I have the Password and I have a FIPS-140-2 complaint Recovery Key. All of my USB drives have the FAT32 file system. I do not have a TPM or Smart Card, but i do have the 256 bit FVE key. I have not tried unlocking on another
  computer with BitLocker Encryption.
  First of all i successfully encrypted one USB drive with no issues and stored the key on another USB drive. Next I encrypted a hard disk drive and stored the key on the same USB drive. Next i begun encrypted the USB drive that had the keys stored on it,
  but realized i had to have had encrypt another drive first so I stopped the encryption at about 4%, by closing BitLocker. I realize this is where i must have gone wrong, because i stopped the encryption algorithm as it was already started. BitLocker took awhile
  to close so i assumed it reversed encrypted what it had already encrypted. I then encrypted the other drive and stored the key on the USB drive with the keys on it. According to a BitLocker policy the keys encrypt each other and become chained together, but
  this may not be relevant to the issue. I resumed the encryption process of the partly encrypted USB drive and stored the key on an entirely separate and not yet encrypted USB drive and this seemed to complete with no issues. Then i encrypt the final USB drive
  and stored the key on a non encrypted hard disk.
  Now the problem I am having is when I attempt to unlock the USB drive with the keys on it. The drive unlocks, but then unmounts itself and asks for the password again and this ends up being an endless loop. I decide to decrypt all drives in the order i encrypted
  them and there appears to be no issue except for with the USB drive with most of the keys on it. I am unable to unlock and decrypt the USB with the keys on it so i skip this drive in the process and I am able to fully decrypt the rest of the drives using the
  keys stored on the "broken" encrypted drive regardless of skipping decrypting it. If I attempt to decrypt or unlock the USB drive with the keys on it I can not, so I tried rebooting. Now when I attempt to unlock the drive using the password through
  the BitLocker Encryption Manager the manager seems to freeze and goes into a non responsive mode and I am unable to close it, even after safely removing the USB drive.
  I have tried a few different methods to solve this issue, but fear that without manually decrypting every single bit exactly how they were encrypted the data may be lost.
  I use an elevated command prompt to use the standard "manage-bde d: -unlock -pw" and then enter the password, but this seems to only unlock the drive momentarily before it unmounts itself.
  I have also tried using "manage-bde d: -unlock -recoverykey '[recoverykey/path].bek'", but this shows the same behavior.
  I have also tried using "repair-bde d: e: -recoverykey '[recoverykey/path].bek'" and the command prompt says "Error: Cannot open 'D:'. Check that it is not currently in use. To continue even when the volume is in use, add the -Force option.".
  Not using the "-Force" parameter allows me to access the drive as if it isn't locked, but only lets me see the "COV 0000. ER" and other BitLocker ToGo autorun files, while not letting me modify or copy the "COV 0000. ER" file.
  I am able to view the "COV 0000. ER" file with a hex editor, but do not want to have to screen capture every screen worth of characters to attempt to manually decrypt the entire two gigabytes of information, while still not knowing exactly what timestep
  the encryption algorithm actually stopped at.
  If I use "repair-bde d: e: -recoverykey '[recoverykey/path].bek'" again or use the "repair-bde d: e: -recoverykey '[recoverykey/path].bek' -force" the drive seems to respond and starts scanning for BitLocker metadata, and boot sectors.
  I am then prompted "LOG INFO: 0x00000027", "Valid metadata at offset 579055616 found at scan level 1.", "LOG INFO: 0x00000028 Successfully created repair context. Beginning decryption". The "d:" USB drive is approximately
  two gigabytes, while the "e:" is approximately eight gigabytes. This then does from 1% to 99% without any issues. As the decryption process hits 99%, I am prompted with a popup "repair-bde.exe - Wrong Volume", "The wrong volume is
  in the drive. Please insert volume into drive \Device\Harddisk2\DR8", "Cancel: Try Again: Continue" and the encrypted USB unmounts itself again and asks for the password through the BitLocker Drive Encryption Manager. No matter which of the
  three choices I select the command prompt then says "LOG ERROR: 0xc0000035 Failed to read sector at offset 2000010000. <0x00000002>" and repeats untill it hits "2015160832" and then says "Decrypting: 100% Complete. Finished decryption.
  ACTION REQUIRED: Run 'chkdsk D: /f' before viewing decrypted data. Now I still have the USB drive with the keys on it, but it remains locked, but now the eight gigabyte USB drive I used as "e:" is seen as a "RAW" filesystem under "Disk
  Management", but "FAT32" under "My Computer". If i try to open "e:" I am prompted to format the drive before using it. If I use "RUN" to attempt to check the disk for errors in "read-only mode" the drive
  is detected as if it was the "NTFS" file format, but does not seem to have any errors.
  If I choose to format the USB drive "e:" I am able to use it, but it appears blank. Using third party recovery software I am able to retrieve some of the data from the partition, which was on "d:", but it appears to be partly decrypted
  still or possibly fragmented. I realize this step isn't because of BitLocker and may be due to the software used to retrieve the information.
  I am able to repeat this temporarily unlocking of "d:" and attempting to recover process over and over, while still getting the same result.
  Another interesting note is, when I use "manage-bde -status", when the drive is locked I can see that the encrypted drive "d:" is still protected with a password and external key. If I use "repair-bde d: e: -recoverykey '[recoverykey/path].bek"
  to temporally unlock the drive and then use "manage-bde -status" the drive "d:" reads the status as "Size: 1.88 GB, BitLocker Version: None, Conversion Status: Fully Decrypted, Percentage Encrypted: 0%, ERROR: An error occurred <code
  0x80070057>:, The parameter is incorrect.".
  Also when the USB drive is temporally unlocked using "repair-bde d: e: -recoverykey '[recoverykey/path].bek" and I use "manage-bde d: -off" I am prompted "ERROR: An error occurred <code 0x80310008>: BitLocker Drive Encryption
  is not enabled on this drive. Turn on BitLocker.". If I use "manage-bde d: -on" the USB drive is detected by BitLocker as having no name, as expected, but also "ERROR: An error occurred <code 0x8031002e>: BitLocker Drive Encryption
  cannot encrypt the specified drive because an encryption key is not available. Add a key protector to encrypt this drive." If I use "manage-bde d: -on -recoverykey '[recoverykey/path].bek'" then BitLocker detects the drive, but prompts "Key
  Protectors Added: ERROR: An error occurred <code 0x8031002d>: The drive encryption algorithm and key cannot be set on a previously encrypted drive. To encrypt this drive with BitLocker Drive Encryption, remove the previous encryption and then turn on
  BitLocker."
  If I use "manage-bde d: -protectors -disable" I am prompted "ERROR: An error occurred <code 0x8031002d>: The drive encryption algorithm and key cannot be set on a previously encrypted drive. To encrypt this drive with BitLocker Drive
  Encryption, remove the previous encryption and then turn on BitLocker.", but if I use "manage-bde d: -protectors -enable" I am prompted "ERROR: An error occurred <code 0x80310001>: This drive is not encrypted.".
  A review of my issue is that I have a BitLocker Encrypted USB Drive, which will not allow me to unlock it no matter how i attempt to do it. I end up with the USB drive automatically unmounting itself when I try to unlock it and this will not allow me to
  decrypt it.
  Thank You in advance for taking the time and consideration to fully understand and read my post. I would have went to the Microsoft professional support hotline, but it would have cost about $250.00 for me to attempt to explain this very large amount of
  text that I had to proof read and edit.
  I believe I have stated all the information that is relevant to the issue I am having and I would appreciate any help that would help me resolve my problem decrypting the information, without the need to manually decrypt every single bit or using an at least
  128 D-Bit quantum computer, "Qumputer".
  I have considered these resources already, but am willing to reconsider them if i missed something.
  BitLocker Drive Encryption Overview: http://technet.microsoft.com/en-us/library/cc732774.aspx
  Manage-DBE: http://technet.microsoft.com/en-us/library/ff829849.aspx
  Windows BitLocker Drive Encryption Frequently Asked Questions: http://technet.microsoft.com/en-us/library/cc766200%28v=ws.10%29.aspx   (I haven't completely read everything, but skimmed through for what i thought may have been relevant.)
  Scenario 14: Using a Data Recovery Agent to Recover BitLocker-Protected Drives (Windows 7): http://technet.microsoft.com/en-us/library/ee424312%28WS.10%29.aspx   (This might have worked but I don't have a smart card and I didn't already have the
  recovery agent set up in group policies before I started encrypting.)
  Scenario 16: Using the BitLocker Repair Tool to Recover a Drive: http://technet.microsoft.com/en-us/library/ee523219%28WS.10%29.aspx

  Hi,
  Did you remember clear which one store in which one? It's so complex on your description.
  Have you tried to recover the drive which the most key stored in it by non encrypted hard disk that stored in the USB drive key?
  If it still failed, i would like to suggest you contact the professional data recovery center for help.
  Note: It's not recommend you use third party software to recover. Since your data might lost because of some fault.
  Karen Hu
  TechNet Community Support
  Sorry i tried to explain my situation as thoroughly as possible without having to take screen captures of each step of the process.
  I have written down what keys were stored where, so there shouldn't be any chance of mixing up the keys. I have also attempted to recover using a different key. Possibly using a different key causes the drive to attempt to decrypt with the wrong algorithm
  and actually encrypting the data even more, but this doesn't seem to be the case because it just fails and goes back into the state it was in.
  Also how would one get a hold of the professional data recovery team. Them being "professionals" i would assume their services are not free, but i may be mistaken.
  Also I will not attempt to use "third party software" again, but I was just getting desperate and that is why I tried it on the partition of the backup, which appears to be blank anyways. This isn't relevant to the issue at hand though.
  I know encryption isn't 100% non reversible no matter how large of the keys and algorithms are, so there should always be a way to decrypt.

• Tips or Improvements for my Bitlocker Encryption Test Script

  Hi Guys,
  I just finished a little script to check if a drive is encrypted with Bitlocker. I wanted to post it here to see if anyone had some constructive criticism.
  Here you go:
  $computer = import-csv C:\scripts\bitlock3.csv
  $namespace = "root\CIMV2\Security\MicrosoftVolumeEncryption"
  Foreach($line in $computer){
  $a=GWmi -class Win32_EncryptableVolume -computername $line.comp -namespace $namespace
  $BitStat=$a.ProtectionStatus
  If ($bitstat -eq 1) {Write-host $line.comp "is encrypted"}
  Else {Write-host $line.comp "is NOT encrypted"}

  You're very welcome.
  This adjustment removes all Write-Output statements and replaces them with a hashtable of the computer name and encryption status. Objects are created from those hashtables, they're then sorted by status to have 'NOT Encrypted' appear at the top of the output
  CSV, and then sorted by computer name (just a habit of mine):
  $namespace = 'root\cimv2\Security\MicrosoftVolumeEncryption'
  Import-Csv C:\Scripts\bitlock3.csv | ForEach-Object {
  $computerName = $_
  try {
  $status = Get-WmiObject -Class Win32_EncryptableVolume -ComputerName $computerName -Namespace $namespace -ErrorAction Stop
  if ($status.ProtectionStatus -eq 1) {
  $props = @{
  ComputerName = $computerName
  Status = 'Encrypted'
  } else {
  $props = @{
  ComputerName = $computerName
  Status = 'NOT Encrypted'
  } catch {
  $props = @{
  ComputerName = $computerName
  Status = "ERROR - $_"
  New-Object PsObject -Property $props
  } | Sort Status -Descending | Sort Name | Export-Csv .\bitlockerStatus.csv -NoTypeInformation
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• PowerShell Script to enable encryption

  Hi All,
  I am hoping I can get some assistance.   I am looking to create a script that will do following:
  1. Enable Encryption 
  2. Backup Encryption Key and/or TPM Data to specific location and specific file name: ex: Computer Name or FQDN
  Is this possible?

  There's the Bitlocker cmdlets, like Enable-Bitlocker. See
  https://technet.microsoft.com/en-us/library/jj649829.aspx
  This appears to encrypt drive when not encrypted already (or resume encryption when currently paused, as it states there).
  About writing key protector to a text file:
  http://blogs.technet.com/b/leoponti/archive/2013/08/17/powertip-use-powershell-to-write-bitlocker-recovery-key-to-text-file.aspx
  Have not tried this myself though.

• My computer has Bitlocker encryption. When I plug in my iPod Shuffle to the USB port, iTunes does not recognize it.

  My computer has Bitlocker encryption. When I plug in my iPod Shuffle to the USB port, iTunes does not recognize it. When asked to encrpt the Shuffle I say no, but still not recognized. When I encrypt it, still not recognized (even after it was restored by iTunes). Any suggestions please?

  Did you find a solution?
  My touch is doing the same thing.

• Is Diskpart unable to clean bitlocker encrypted Windows 8 to go installations?

  Hi all.
  I am aware that this is a configuration that not many of you will have, but worth a try...
  I am running windows 8.1 enterprise x64 installed on a USB drive as windows to go. The USB drive is a supported one for this configuration, Kingston Data Traveller 32 GB. Also I use bitlocker to encrypt the whole drive and all works very nice.
  Lately however, I wanted to restore an image backup to the drive, so I plugged it into another pc running windows 8.1 enterprise.
  The imaging software however was not able to write to the drive and told me, it is in use. So I looked at explorer, but it was not even mounted, which is expected behavior with windows 8.1.
  To overcome the problem, I tried to clean the drive using diskpart and this is where the question starts: Although diskpart told me that cleaning was successful, the imaging software was still not able to write to the drive! So I said, "damn
  it, win8.1, what's wrong? I'll use windows 7 to replay the image to the drive!"
  On windows 7 I was flabbergasted after inserting the drive: I was presented a message from bitlocker to go which asked me for the password (which I provided and which worked). I did not get that on 8.1!
  Attention, the question is right here:
  Why is diskpart unable to clean the drive? Why does it tell me "cleaning was successful" (and I could verify that, partitions were indeed removed) although it is obviously unable to remove the bitlocker info?
  So far, my understanding of diskpart's clean command was that it completely resets the drive.
  Am I right, or what did I miss? Is diskpart not supported on "windows 8.1 to go"?

  I dont think diskpart will remove bitlocker encryption.. To remove encryption you must use decryption method.. If you have forgotten password you have to use bitlocker recovery key
  Try try Bitlocker repair tool if the partition is damaged..http://www.microsoft.com/en-us/download/details.aspx?id=17294
  "The BitLocker Repair
  Tool can assist administrators in recovering data from a corrupted or damaged disk volume that was encrypted with BitLocker."
   Using the BitLocker
  Repair Tool to Recover a Drive
  http://technet.microsoft.com/en-us/library/ee523219(WS.10).aspx
  http://support.microsoft.com/kb/928201
  If you have lost your password or recovery key check these 
  I
  Lost My Bitlocker Recovery Key
  http://www.pcandtablet.com/windows-8-errors-and-crashes/279/i-have-lost-my-windows-8-bitlocker-key-now-i-cant-boot-how-can-i-recover-my-data.html
  http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq  
  Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

• SCCM 2012 SP1 CU5 - Unknown error code when deploying Bitlocker encryption (happens during check for Bitlocker partition)

  Hi
  It says in the smsts.log file from the laptop:
  Evaluating a WMI condition expression TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: root\cimv2 TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: SELECT * FROM Win32_DiskPartition WHERE DiskIndex = 0 and Index = 0 and Size = 100 TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  The condition for the action (Create BitLocker partition) is evaluated to be true TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string:  TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Start executing the command line: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  !--------------------------------------------------------------------------------------------! TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Expand a string: WinPEandFullOS TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Executing command line: smsswd.exe /run: cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet TSManager 03-02-2015 13:34:58 7304 (0x1C88)
  Creation event received for process 7976 mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  [ smsswd.exe ] InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  PackageID = '' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  BaseVar = '', ContinueOnError='' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  ProgramName = 'cmd.exe /c bdeHdCfg.exe -target default -size 300 -quiet' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  SwdAction = '0001' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Getting linked token InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  failed to get the linked token information. It may not be available. Error 1312 InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Process ID 7976 is for process C:\Windows\CCM\smsswd.exe mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  No matching rule found for process 7976 mtrmgr 03-02-2015 13:34:58 948 (0x03B4)
  Working dir 'not set' InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Executing command line: Run command line InstallSoftware 03-02-2015 13:34:58 4668 (0x123C)
  Creation event received for process 7452 mtrmgr 03-02-2015 13:34:58 4564 (0x11D4)
  Process ID 7452 is for process C:\Windows\system32\cmd.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Found match against RuleID LGR00188 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Creation event received for process 7940 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Tracked usage for process 7452 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7940 is for process C:\Windows\system32\conhost.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 3104 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Found match against RuleID LGR00183 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Tracked usage for process 7940 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 3104 is for process C:\Windows\system32\BdeHdCfg.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 7552 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 3104 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7552 is for process C:\Windows\System32\vdsldr.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  Creation event received for process 7152 mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 7552 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Process ID 7152 is for process C:\Windows\System32\vds.exe mtrmgr 03-02-2015 13:34:59 4564 (0x11D4)
  No matching rule found for process 7152 mtrmgr 03-02-2015 13:34:59 948 (0x03B4)
  Termination event received for process 3104 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  Termination event received for process 7452 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  Process completed with exit code 3231711234 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Termination event received for process 7940 mtrmgr 03-02-2015 13:35:00 4564 (0x11D4)
  BitLocker Drive Preparation Tool version 6.1.7601 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  opyright (C) 2006-2008 Microsoft Corporation. InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Command line returned 3231711234 InstallSoftware 03-02-2015 13:35:00 4668 (0x123C)
  Termination event received for process 7976 mtrmgr 03-02-2015 13:35:01 4564 (0x11D4)
  Process completed with exit code 3231711234 TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  !--------------------------------------------------------------------------------------------! TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the action: Create BitLocker partition.
  Unknown error (Error: C0A00002; Source: Unknown) TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set a global environment variable _SMSTSLastActionRetCode=-1063256062 TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set a global environment variable _SMSTSLastActionSucceeded=false TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Clear local default environment TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the action: Create BitLocker partition. Execution has been aborted TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Failed to run the last action: Create BitLocker partition. Execution of task sequence failed.
  Unknown error (Error: C0A00002; Source: Unknown) TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Set authenticator in transport TSManager 03-02-2015 13:35:01 7304 (0x1C88)
  Termination event received for process 6188 mtrmgr 03-02-2015 13:35:03 4564 (0x11D4)
  Termination event received for process 7552 mtrmgr 03-02-2015 13:35:06 4564 (0x11D4)
  Task Sequence Engine failed! Code: enExecutionFail TSManager 03-02-2015 13:35:07 7304 (0x1C88)
  **************************************************************************** TSManager 03-02-2015 13:35:07 7304 (0x1C88)
  Task sequence execution failed with error code 80004005 TSManager 03-02-2015 13:35:07 7304 (0x1C88)

  Hi Jason
  See below. The problem is that on some of our laptops not anywhere geographically close to our IT department, the laptop has been setup with 2 partitions and on some only with 1 partition (we used another deployment system 2 years ago), so I am trying
  to prepare all our corporate laptops for Bitlocker encryption. The reason why I made this task sequence was to hit all those laptops that is not being reinstalled / installed again in the near future.
  Do you have any suggestions, should it help to remove the cmd.exe /c in front of the Bitlocker cmd line ?
  We have tried the MBAM solution, but in my opinion too many problems with the MBAM client.

• Anyone knows the difference between this Protocol Encryption status or why there status are different?

  I am confused why there Protocol Encryption Status are different from each other they are all using AnyConnect client v2.5.
  user 1 - AnyConnect-Parent SSL-Tunnel RC4
  user  2 - AnyConnect-Parent SSL-Tunnel DTLS-Tunnel RC4 AES128
  user  3 - Clientless SSL-Tunnel DTLS-Tunnel (this user is using an AnyConnect client, but when she connects her status show Clientless)

  The 17" MBP has an extra USB 2.0 port and also comes with a FireWire 800 port.
  As far as the GPUs go, they are the same: ATi Mobility Radeon X1600.
  As far as the GPU-dedicated-RAM (VRAM) goes, the only difference is the amount (128MB vs 256MB). More VRAM is better if you are going to be running video intensive apps, eg. multimedia apps and/or 3D games. The VRAM is GDDR3 which provides greater bandwidth than the DDR2 technology used in the 512MB/1GB/2GB of 'main memory'.
  There is, of course, the different CPU multipliers. The 1.83GHz has an 11x multiplier while the 2.00GHz has a 12x multiplier. The 2.16GHz CPU of the 17" MBP has a 13x CPU multiplier.
  The Front Side Bus speed is the same 667MHz on all three models. It drops down to 167MHz at the boundary of the CPU to which is applied the above multipliers, ie:
  667MHz FSB / 4 = 167MHz
  167MHz x 11 = 1.83GHz
  167MHz x 12 = 2.00GHz
  167MHz x 13 = 2.16GHz
  N.B. 167MHz is really 1000/6.

• Backing Up Bitlocker Encrypted Disks

  I'm planning to have bitlocker encrypt the hard drives on my server, but I have questions about windows server backups of encrypted hard drives.  I use both file AND system image backups (i.e. Bare metal recovery, system state etc.),
  so my first question is are those backups also encrypted.  I seem to recall (though I hadn't gotten around to using it) that 2008 R2 backups were DECRYPTED (in any event, NOT ENCRYPTED), but I can't find any information about
  whether that's still true in 2012 R2.
  I'd be grateful if someone could enlighten me about this.
  Capt. Dinosaur

  Hi Sharon, Thanks for your response:
  "As you said it is not encrypted - Data is backed up to an ISO file and Windows Server Backup will run when volume is decrypted. In order to protect the backup, you can encrypt the target volume in the same time"
  I was hoping that the output would not be encrypted, but I don't understand about it going to an ISO file.  I always include a System Image (Bare Metal Recovery) in addition to the selected data files.  Currently, with the disks NOT ENCRYPTED,
  the system image is a series of .VHDX & .XML files, and the file backups are .ZIPs.  I'm not sure how an ISO file can be restored.
  "If you are using BitLocker Drive Encryption to protect your server, if possible, make sure that the storage location you choose is also protected with BitLocker Drive Encryption. This will not happen automatically—it
  must be enabled explicitly."
  I don't wan the backups to be encrypted.  I back up to an external HDD which is stored offsite in a fire resistant vault.  I need it to be unencrypted so that in the event of a disaster (i.e. my server becomes a puddle of molten metal) I need to
  be able to restore to new hardware.  Is that not going to work???
  Capt. Dinosaur

• Disable forced bitlocker encryption for certain USB devices

  Is it possible to specify certain USB removable devices to not be Bitlocker encrypted?  Example - A GPS so the user can do updates.  I didn't see any way to do this via policy.

  No, the reason is this, bitlocker is not going to make any difference between the devices based upon the hardware ID; it only takes the class of the device while applying the policies. 
  Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

• MBAM 2.0 Windows 7 clients not sending encryption status after intial encryption

  I am getting following error event under MBAM\Admin while looking out for reasons for not receiving machine details under compliance reporting:<o:p></o:p>
  Event Id: 4
  Source: MBAM
  An error occurred while sending encryption status data.
  Error code:
  0x80041010
  Details:
  NULL
  Already have tried all possible ways as mentioned under other related forums but it is of no success. Can someone please help in solving this error?
  Regards,<o:p></o:p>
  Paras<o:p></o:p>

  Hi Manoj,
  I am also getting the Event ID:4 An error occurred while sending encryption status data.
  Error code: 0x80041010
  The MBAM reg key is attached. I have also confirmed my MBAM server endpoints are correct. The system partition is separate from the OS partition. The TPM is on and ownership has not been taken. The MBAM client service is running
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
  "AgentVersion"="2.5.0244.0"
  "Installed"=dword:00000001
  "NoStartupDelay"=dword:00000001
  Kindly advise
  Thank you

• Powershell script monitor with encrypted password

  I have created a powershell script based monitor in my management pack and everything is ok but I can't get my credentials work inside the script. I want to open pssession to another computer with my credentials. I have triple checked that my pssession is
  working because I can access it from powershell console.
  This works perfectly at local server from PSconsole:
  $EncryptedPassword ="01000000d08c9ddf0115d1118c7a00c04fc297eb01000000534b2....etc...etc..."
  $pw = convertto-securestring -String $EncryptedPassword
  $cred = new-object System.Management.Automation.PSCredential -argumentlist "MyDOMAIN\MyACCOUNT",$pw
  $s = New-PSSession -ComputerName "MyServer" -Port MyPort -Credential $cred
  But when I run the same lines inside my management pack the convertto-securestring
  does nothing, it just wont convert the encrypted password to secure string!
  I have tried this plain text method and it works
  inside my management pack, but I don't want to use it because you can see the password in plain text:
  ConvertTo-SecureString -String "myPlainTextPassword" -AsPlainText -Force
  This is the $error variable, so it's basically says that I don't have anything in the password secure string variable because the convertion did not work for some reason:
  The argument is null. Provide a valid value for the argument, and then try running the command again. Cannot process argument transformation on parameter 'Credential'. PromptForCredential Exception calling ".ctor" with "2" argument(s):
  "Cannot process argument because the value of argument "password" is null. Change the value of argument "password" to a non-null value." The system cannot find the file specified. Exception calling "SecureStringToBSTR"
  with "1" argument(s): "Value cannot be null. Parameter name: s" The system cannot find the file specified. Exception calling "SecureStringToBSTR" with "1" argument(s): "Value cannot be null. Parameter name: s"
  The system cannot find the file specified. 
  So is there some known issue with SCOM Agent / management pack when you are dealing with convertto-securestring
  function with encrypted passwords?
  I used these methods to encrypt the password: Technet article about encryption

  I got it to work!
    <TypeDefinitions>
      <EntityTypes>
        <ClassTypes>
          <ClassType ID="MyClass" Accessibility="Public" Abstract="false" Base="Windows!Microsoft.Windows.LocalApplication" Hosted="true" Singleton="false" Extension="false"
  />
        </ClassTypes>
      </EntityTypes>
      <SecureReferences>
        <SecureReference ID="MyRunAsAccountProfile" Accessibility="Public" Context="System!System.Entity" />
      </SecureReferences>
  <ScriptBody>param (
    [string]$Username,
    [string]$Password
  $API = new-object -comObject "MOM.ScriptAPI" 
  $PropertyBag = $API.CreatePropertyBag()
  $cred = New-Object System.Management.Automation.PSCredential -Argumentlist @($Username,(ConvertTo-SecureString -String $Password -AsPlainText -Force))
  $s = New-PSSession -ComputerName "myserver" -Credential $cred
  Invoke-Command -Session $s -ScriptBlock { $service = Get-Service -Name Spooler}
  $invcom = Invoke-Command -Session $s -ScriptBlock { $service.status}
  Remove-PSSession -Id $s.Id
  if ($invcom.Value -ne "Running") {
  $PropertyBag.AddValue("State","ERROR") 
  $outputLongLine = "Spooler Service is not running on target server!" 
  $PropertyBag.AddValue("Description", $outputLongLine)
  else {
  $PropertyBag.AddValue("State","OK") 
  $outputLongLine = "Spooler is Running on target server."
  $PropertyBag.AddValue("Description", $outputLongLine) 
  $PropertyBag</ScriptBody>
  <Parameters>
  <Parameter>
  <Name>Username</Name>
   <Value>$RunAs[Name="MyRunAsAccountProfile"]/Domain$\$RunAs[Name="MyRunAsAccountProfile"]/UserName$</Value>
  </Parameter>
  <Parameter>
  <Name>Password</Name>
  <Value>$RunAs[Name="MyRunAsAccountProfile"]/Password$</Value>
  </Parameter>

• Can my MacBook Pro use boot camp with Windows 7 with BitLocker encryption?

  I'm at wit's end with this, and I'm hoping I can get some advice here.  I've read so many forum, posts and reviews that I'm not entirely sure what I can trust.
  I have an early 2011 MacBook Pro (MacBookPro8,3). I need to run Windows encrypted for work purposes. It needs to be real windows with full-disk encryption (FDE). The business tools run in boot camp, but not in Parallels, because Parallels doesn't support DirectX 11. I would also benefit greatly from an SSD.
  I do not want to do anything hacky like removing the Mac reocovery partition, because I've read that just loading Disk Utility in OS X might mess up your patrition boot tables as it tries to "fix" things. I don't want to have to manually reocover to fix stuff or chance losing data.
  I have read (and tried) installing BitLocker on Windows 7 Ultimate under boot camp, but ran into the partition limit on my internal HDD. A maximum of 4 partitions are allowed, and between OS X, its recovery, boot camp, and the Windows partition, all 4 are used.
  I have considered one of the following, which may work:
  Install OWC's Data Doubler Kit with an additional 240GB SSD (http://eshop.macsales.com/item/OWC/DDMBS6E240/). I would replace the internal SuperDrive with the HDD, and install the new SSD on the faster SATA 6G port. Windows would be installed on the SSD and OS X would stay on the HDD.
  Replace the internal HDD with a new SSD (keeping the SuperDrive). I would lose OS X altogether and just have Windows installed.
  Forget the entire thing and just buy a PC for work.
  My thoughts are that with option both options #1 and #2, I don't even know if these setups will allow BitLocker. In both cases, Windows will be the only partition on the drive, so I'm assuming that when BitLocker is installed, there will be room for the new partition it creates. With option #1, I'm pretty sure I'd still be using Boot Camp, but how would that would for option #2? Is boot camp used even though there is no Mac partition? Would I still need to keey the Mac Recovery partition for this to work? I'd probably need to use Boot Camp drivers under Windows, I think.
  I'd certainly be interested in using a self-encrypting drive (SED), especially a SSD, but I'm concerned that most of them appear to require TPM or BIOS functions that Mac's EFI does not provide. Such a drive would allow me to drop BitLocker, but I would need to be use the self-encryption actually works on this setup. From what I've read, most of the SED drives will work just fine under EFI, but you won't be able to set or access the encryption password, which pretty much makes these drives unencrypted.
  I've read that BitLocker can be configured to use a flash drive as a decryption key, but I haven't been able to test that yet. I'm tried creating bootable flash drives under Windows and OS X, and none of them seem to appear when I access the boot menu (hold option during boot chime). I don't even know if this system supports bootable USB flash drives, or whether they can be used as a BitLocker key under boot camp.
  For the record, I have attempted to use an external thunderbolt drive as my Windows partition, but Windows doesn't want to be installed on removable media, and even if it worked, I believe you can only boot OS X from thunderbolt. I do have a second OS X install booting from the thunderbolt drive, so I know that works. Also, FileVault 2 is installed on my OS X partition, and I read something about FV2 using the Recovery partition somehow so you can't remove the recovery partition to make room for BitLocker.
  So ... does anyone have any suggestions preferably based on personal experience as to whether options #1 or #2 should work for my needs?
  At this point, I'm really thinking I should just bite the bullet and purchase a PC that I will forever look down upon.

  Are you using a MacBook Pro? Is everything installed on the same drive?
  I would love to know how that install was performed. When I install Windows under boot camp, my MacBook Pro drive ends up with 4 partitions: Mac, Mac Recovery, Windows, and a small partition that I believe is used by boot camp.
  Installing BitLocker on Windows requires the creation of a new small partition that Windows will boot off. The small partition is unencrypted, while the primary Windows partition will get encrypted. The following post discusses the maximum partition issue: https://discussions.apple.com/message/22753791#22753791
  Has anyone installed Windows through boot camp on it's own drive, and if so, can BitLocker be installed on that without reaching any partition limit? I'm assuming that's possible, but would like to know before I spend hundreds on new hardware.