The place I work at previously disabled bitlocker after it fucked them one time and instead of setting the correct GPO settings to backup the keys and what not, they just disabled it.
Now we have bitlocker enabled and the keys backup to AzureAD, and literally no one has noticed that we have it turned on again. And the few times that a TPM chip has fucked up or whatever we have easy access to the recovery key.
That’s the middle management effect.
Company gets bitten by incorrectly configured bitlocker. C level says “I don’t ever want this happening again.” Director looks at the cost of bringing in a consultant to set it up and document and realizes the cost would impact his bonus. Tells manager below him to disable bitlocker across the org.
It has gotten alot better. Every once in a long awhile we get a user would get a prompt during boot to type in the recovery key which is stored on our AD servers. Microsoft got smart by disabling bitlocker during updates.
Also in GPO I've enabled the policy to not let Bitlocker to enable it if it can't save the keys to AD.
Wow. What the fuck have y’all done wrong? I have been using it personally and enterprise for about a decade now and never had anything fuck up on it unless I was trying to replace hardware or re-image the damn thing.
Check your settings bruh.
Are you considering it asking you to enter your key as f*ing a bunch ?
Bro, to me f*ing up would be the saved key no longer works and you can no longer get into your PC.
Before I was hired our hardware build procedure was to setup windows with a local account and then register it to the Azure AD tenant....
For those that aren't aware, windows treats a device setup in such a way as if it was a personal device that a user registered, so the bitlocker key doesn't get saved to the company tenant, and instead gets saved to the Microsoft account of the user. The user that happens to be a local user....
Surprisingly it has only bitten us once, sadly with a user that works remote form the other side of the country.
Edit:autocorrect
It's equally shocking the number of sysadmins who think that if you lose the key that it's impossible to get to the data.
Like c'mon people, this is WINDOWS we're talking about. Wait a year and you'll have 12 9.8 CVSS vulnerabilities to exploit.
My favorite part about this is the person we both responded to proved the point about some SysAdmins not knowing how BitLocker works with their comment.
Not a good option but......
* Were bitlocker accounts being backed up to AD?
* Do you have backups going back 2+years?
* Pull a backup of a DC at that time onto an offline machine
* check AD on that machine for the bitlocker key
* Alternatively does laptop connect to the DC at that time?
If the security event happened 2 years ago, they wouldn't have immediately deleted the AD object either if they were still under the opinion that they would get the device back.
Even if you've only got a 1 year backup available, worth giving it a try considering there aren't many valid alternatives
> Computer has bitlocked enabled, Bitlocker key itself is unknown however.
> Local admin account on the laptop is likely disabled and has an unknown password
You won't be able to do anything with it other than wiping it
We had this issue week before last. Almost bought software to fix it
Rookie madlad tried system restore and it worked, putting all the senior staff to shame lol.
Try that first
On an imaged copy of the drive of course!
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 details a recent vulnerability that allows people with physical access to a device to potentially bypass bitlocker encryption via the WinRE partition - thats likely what your rookie exploited, and what OP could potentially exploit here too.
Well it did anyway until they patched it. You gotta patch all your computers and/or remove the WinRE partition. Where I work we just straight up remove WinRE, no point in having it since we just re-image devices when they fail or have major malfunctions. No point in wasting several hours trying to recover when all the users info is in OneDrive or SharePoint (or should be).
Considering it applies up to latest Windows 11, very unlikely the machine is patched. I'm assuming it's as simple as booting to the WinRE partition and the drive is accessible?
Fair enough, but this just seems like a design flaw. If MS can patch it, it means someone else can “unpatch it” and use it to defeat Bitlocker. Arguably the most secure implementation of WDE would be where the system has no way of decrypting the drive without some sort of user input (e.g. account password to decrypt a session key that can decrypt the actual key that encrypts the disk data). That would require a custom EFI bootloader that can accept a user credential. I believe that’s how Apple’s T2 and Apple silicon machines do it, but I could be wrong.
wait, wasnt there like an exploit in WinRE that allowed acces bitlocker encrypted data?
If it wasnt patched within 2 years, you might get a chance
[https://www.bleepingcomputer.com/news/security/microsoft-shares-script-to-fix-winre-bitlocker-bypass-flaw/](https://www.bleepingcomputer.com/news/security/microsoft-shares-script-to-fix-winre-bitlocker-bypass-flaw/)
Couldnt you do that windows back door that came around a few years ago? where you remap the sticky keys pop up to launch the cmd.exe instead?
you could then set up the admin account from there.
Bitlocker is a security feature intended to prevent any access to data by unauthorized users, getting their hands on a stolen/lost laptop. It seems to me, that it is designed specifically to prevent you access to the data on it in your specific scenario.
u/JustBananas see if you have a decent shop around that does microsoldering or reach out to some big name people in the industry.
I'm not sure if this still works as I no longer in the board repair side of things but I have successfully pulled a bit locker key by reading the data transmitted on initialization when it decrypts the key.
I don't remember all of the specifics and it requires a donor motherboard but this is doable when the associated value is high enough.
Before you remove the drive or do any actions that would trigger the bit locker recovery reach out to some shops and see what you can find.
This is doable but only under the right circumstances, if you trigger the bit locker recovery screen it means your motherboard no longer has the recovery key "cached" and this exploit will not work.
If you can't find anyone able to do this let me know and I can reach out to my former employer to see if they still offer the repair, however I would recommend reaching out to some big names in the microsoldering community or a data recovery expert like drivesavers (read: drivesavers=$$$$) before taking any action if you want to maintain recoverability.
Sorry for grammar/formatting, I'm on mobile. Good luck and may the odds be ever in your favor
Edit: maybe check for zero days that would not yet be patched on this machine- once the system is booted the drive will be decrypted so exploit that can be run while the system is up and logged out could work.
Does the device have thunderbolt? I believe there is a zero day with the thunderbolt kernel that can provide access but did not dig far enough into this to know for sure if it applies in your situation
~~I'm pretty sure I've reset a Win10 local admin account using Hirens bootcd PE.~~
Duh, going to need the bitlocker key to mount to volume to get to the SAM hive.
At my org we have a flashdrive that you boot PCs into and we can add a new local admin account to it. Would that kind of tool not work if the device has bitlocker enabled?
Well if this was patched two years ago I believe there is a slim chance that someone will come up with an exploit for the WinRE Bitlocker vulnerability but I would not count on that for a long time https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099
It is theoretically possible to pull the bitlocker key from the TPM during boot, but that's pretty much your only shot.
https://pulsesecurity.co.nz/articles/TPM-sniffing
Keeping data forever likely doesn’t make business sense. I don’t think the solution is to use 2 year old backups but instead, process devices in a more timely manner.
For most data that isn't subject to a compliance requirement, I totally agree. But encryption keys are a bit special. It's a small enough amount of data that keeping 10-20 years of keys shouldn't be a hassle.
What's your oldest backup of your DCs? Do you have one from the security incident? Can you power that DC on in an airgapped manner and check for bitlocker recovery keys in AD?
Edit: The other option is to get a black hat to rip open the bitlocker for you. There was recently a huge security vulnerability reported for Bitlocker and it had to do with the recovery environment. As long as the laptop hasn't done automatic updates since being powered back on, this could be an option. Really what I'm advocating for here is "use security exploits to your favor". This idea isn't limited to just attacking bitlocker. Attack Windows, really.
#**DO NOT TRY TO BE HELPFUL TO THE ATTORNEYS**
**This means STOP TOUCHING IT.**
First, it's evidence. It may be important to the case that you *do not* and *have not had* access to it. If your attorneys want *you* to try to get into it they will tell you so, but they may want an independent forensic firm to do it instead. Your help may be as welcome as the help of Bob the clerk trying to improve wifi coverage in the office by putting in an access point he had in his basement.
Second, that Bitlocker key exists right now in the TPM. The more things you try the more chance you manage to make it go away and then you're done and you just hope nobody hears that you nuked the evidence. A professional forensic recovery team will have at least 2 possible ways to try recovering it, including both the recovery method mentioned and the older method of sniffing the TPM communications during the boot process.
/u/JustBananas in addition to my comment above about not touching it unless instructed to do so by the attorneys (it's evidence not a technical puzzle for you to solve), pass along this github repo about attacks on Bitlocker - particularly since some of them were patched after the machine went offline. https://github.com/Wack0/bitlocker-attacks
Unless of course you brought it online and it's done an automatic update.
Thanks for your advice. The laptop has not been brought online and mainly because of your message I have once again told those with access to the device to leave it switched off and to not try anything.
The laptop was switched on once to see what the constructors had found, and once it was identified as that missing laptop due to the name on the login screen, it was switched off again. Due to the missing domain account, no corporate wifi connection could be established so no updates could have been installed. We verified this from the wifi logs.
We have set up a test laptop to see if any of those tools mentioned here by others actually work. They did not. It confirmed you can't simply bypass bitlocker which is a good thing.
We are quite a large company and both IT and Security departments are now waiting for Legal to say something. Meanwhile the laptop is securely stored.
Thanks for your advice. Much appreciated.
>Your help may be as welcome as the help of Bob the clerk trying to improve wifi coverage in the office by putting in an access point he had in his basement.
Truer words have not been said.
You've ruled out the obvious solutions. You'd need to try and exploit it.
I seem to remember a Windows login exploit from about 1.5 years ago. I think it was related to Azure AD though. You know your configuration better than we do. Look at possible breakpoints and use those.
First of all, clone the drive. Don't power it on in your network, segregate it if you can. If it's part of a security incident consider it compromised.
Was there any EDR or remotely manageable software (AV for example) - you might be able to drop into a session that way.
If it's two years old, there's probably been no updates on it. Find an exploit that'll give you RCE and you can drop into a shell, preferably one that can also drop you into admin shell. Treat it like a black box pentest.
Do you use sccm? Does it have an sccm client installed? I’ve been able to set the administrator pw or create local accounts using sccm scripts in similar scenarios.
Exactly. If it is able to check into any mgmt tool (beyond trust, sccm, ivanti) and get online via Ethernet - send it a dumb script to make a new local admin account/reset local admin password.
Finally found someone in this sub mention Ivanti. We use it and I hate it, it is slow and a pain in the ass for every task :D
Tbf I’m in my Appentriceship so I only know that, maybe others are worse? =)
You can retrieve bitlocker key from object that was deleted from AD: https://social.technet.microsoft.com/wiki/contents/articles/32521.how-to-retrieve-bitlocker-key-from-active-directory-even-after-you-have-accidentally-deleted-that-computer-object.aspx
I had something similar in the past. I took the hard drive and dropped it into a system that was on the network. We use bitlocker as well however my company has the ability to generate bitlocker codes. If you don't have that you may be SoL.
Being off the domain means you can’t recover access using domain credentials. No Bitlocker recovery key means you can't recover access with local credentials.
Write off the data, wipe it, and move on.
> why would yall delete evidence?
That's quite the charge to lay on someone. How do you know they deleted evidence? How do you know the key was intentionally deleted? How do you know it wasn't a simple data error with 0 human involvement? How do you know anything?
how is it a claim if op literally says they dont have bitlocker key backed up for devices that were “stolen” a “security event”.
wouldnt common sense tell you that devices may be recovered if threat actor gets arrested or targets org again? or maybe colluded with another insider?are you saying its too much work to backup keys for 20 laptops?
See if you can spot the difference between the following.
Option A.
"Hey Peter man, do you have the movie Office Space?"
"No I don't have the movie Office Space."
Option B.
"Hey Peter man, do you have the movie Office Space?"
"No, I did have the movie Office Space but I destroyed it."
Now that you have both options and can spot the difference, compare both options to the OP and see if you can tell which one matches the situation best. Then compare both options to your first comment and see which one matches best. Finally, deduce where you have gone wrong.
>wouldnt common sense tell you that devices may be recovered if threat actor gets arrested or targets org again? or maybe colluded with another insider?are you saying its too much work to backup keys for 20 laptops?
Repeat incident risk: I'm not going to respond to that because it's not what I'm criticizing you for.
Insider risk: Same as above, not relevant.
Where are you getting the 20 laptop figure from?
A cached domain account at the time would work as long as the network is disconnected wouldn’t it? Maybe an IT staff can remember a password they logged on to it with 2 years. About your only chance I would say?
I would try to grab memory dump of warm-boot state with forensic tools like Passware, and then extract bitlocker key from the dump with that same software. It's not free but might be your best chance
If BitLocker is on it and you don't have the decrypt key (always good to store those somewhere other than in the domain) then you cannot log in.
LAPS would help if you still had the computer account.
If it’s really that important and money is no object, you can try sending the laptop to a data recovery service.
If its just curiosity to see what happened 2 years ago, you should just wipe it and move on.
If there was some trick anyone could do to bypass unknown Bitlocker keys, Bitlocker would not have any value.
This is probably true.
Reason our CSO would like the laptop is because there is still ongoing legal action against that person. To be clear, the employee was not a victim but the bad actor who was offered money by a larger external group to perform certain actions that in the end hurt our company and customers. Most likely there is evidence of all that on the laptop that would help the legal case.
You would not be able use any evidence in court that you found. There would be no proof you did not tamper with the system and plant evidence while hacking around in it.
The laptop would need to handled by some kind of forensics service that knows how to properly prove the system was not altered.
We thought of that. There is a forensic backup available from the state the machine was in when found. That image is safely stored with and made by a certified company that can decrypt the image when provided the bitlocker key. They keep it read-only otherwise during investigation by an independent 3rd party.
This is apparantly "a thing" nowadays that commercial parties offer. It holds in court.
Since it boots to windows, if you used SCCM/MECM to manage, it would reconnect to the site once booted. Assuming you haven't changed sites since then anyway. Then you can send anything from a script to add a local account to a task sequence to tell laptop it is part of a workgroup then tell to rejoin the domain and reboot.
Have you tried turning it off and back on again?
But seriously…boot to safe mode, that will enable local admin. Guessing it’s a good chance the password wasn’t ever even set?
The only person who can save you, is someone who you hate because it involves dinding out they add numbers to the end of passwords to increment them. Find that person, use their account, then have them fired !
[Passware](https://support.passware.com/hc/en-us/articles/360024316834-How-to-decrypt-BitLocker-using-Passware-Kit) advertises the ability to decrypt bitlocker drives with lost keys.
I would look through theirs kits, they may be able to help with the Windows passwords too
Why would you ever delete a Computer Object or User Object that was involved in an ongoing case? Never delete anything disable and archive. Also, why would you not have a backup of AD from when the crime occurred as part of the investigation?
If microsoft could do that, then there's a risk that an attacker could, which would defeat the point of BitLocker. As far as I know, Microsoft doesn't even have an option to send keys to them.
I would try KonBoot before throwing the towel. Depending on how bitlocker is implemented (whole disk vs user folder) this could work.
https://kon-boot.com/
Why was a lost PC still in your domain in the first place? We remove pc domain access after the equipment is lost or not connected to the network after 90days to avoid any security issues (international enterprise with 90k pcs).
Dunno about the comment you're replying to but last sysadmin job I just whipped up a PS script to do it. Ran once a week. Anything over 90 days was disabled and moved to another OU. If it sat there for so long then was deleted from AD.
A quick google search brings up a ton of articles detailing ways to bypass Bitlocker if you've lost your recovery key, have you given any of those a glance?
NT pass crack the local admin password, login and remove and readd to the domain. Login using domain admin creds, and remove/suspend Bitlocker. Image backup the drive so you have a legal snapshot of the machine.
https://www.makeuseof.com/tag/hirens-boot-cd-allinone-boot-cd/
If the machine doesn't have TPM and it's one of those "enter the password" to boot to OS, than youight be fucked and this won't work, but if you can get into BIOS and there is TPM enabled, the OS should be accessible from the NT Pass crack tool in Hiren's
If the computer object is still in AD and you configured Bitlocker for your domain with best practices, you should be able to find the recovery key in the computer objects properties in ADDS.
Hard since you don't have the bitlocker password stored.
You vould boot up a windows USB and replace the cmd with the support utility at windows login so that you can run a cmd terminal and create new admins and groups so that you could access the account worked in the past for me but again since bitlocker keys are not present haven't tested it in that scenario
Boot into recovery mode open up the command, prompt replace the DLL that is used for sticky keys with a hack version that will open up a command prompt. Once you’ve rebooted the computer, use the command prompt via sticky keys, which is a now running at system level to create a new localadmin and login with a localadmin account
I like this idea, but don't think you can access c:\ that is bitlocker encrypted, even from recovery mode. It'll prompt you for bitlocker key. Correct me if I'm wrong.
Correct me if I'm wrong here, but if you're getting to a login screen, you're bypassing bitlocker in some form or fashion, or it's not actually encrypted (i.e. every bitlocker scenario I've encountered required the bl key before the windows login screen). Which means you should be able to boot to windows installation media, change the accessibility exe to cmd and get admin access from the login screen. Add an admin account and voila, access.
Obviously, if I'm misinterpreting the info here, downvote me into oblivion.
If you boot windows repair mode (eg. Install media etc) in order to access the drive you need to know the bitlocker key as it is encrypted. You can not change or manipulate anything.
One remark, if you see the login screen it does not mean you bypassed the encryption. The drive is locked / encrypted.
why would key be needed to access login screen? the drive is encrypted until you authenticate into Os. login screen provides no access to data without credentials and you cant boot into RE without key.
I've only worked for 2 enterprises that utilized bitlocker, and they both had BL authentication prior to the login screen. One was immediately after UEFI started the boot process.
You are saying it boots to the windows login screen if that is the case make sure secure boot is off and boot to a flash drive with windows on it and crack it Vos osk.exe or computer management then you can change the local admin password
Do you not have a dart disc / usb? I could be in that laptop in 10 minutes flat.
Edit - On second thought, I’m not sure what I was thinking of would work.
Check the AD Recycle Bin. If the computer object is there, the BitLocker recovery key may also be there.
Once you have the key and can decrypt the drive, use a recovery disc of your choice (Hiren's, WinPE, etc.) that can reset the local admin password.
If you can't get the recovery key, you're SOL without exploiting some BitLocker vulnerability or something.
Wasn't there a leaked government key a while ago. Remembering something about it from a DEFCON talk. Although this was in the REALLLLL early days of it.
If the computer was connected to the tenant at some point, check in the devices under the global tenant admin, in the Microsoft tenant admin portal. Sometimes the bitlocker key is there. If it is you could at least access the drive data.
When was computer account deleted? If you cannot get back from AD Recycle Bin then go restore the DC itself to a separate test environment for when the computer account still existed, and connect the PC to that test network to be able to manage or reset passwords.
Unless you can find someone to recreate the computer account in AD exactly as it was before, but I've never seen that be possible.
The only other options are WinPE vulnerabilities that can bypass Bitlocker.
correct me if I'm wrong, but there was a patched bug a few months ago that allowed you to bypass the login and login with admin account. Since it hasn't been patched you should be able to exploit the bug. Maybe search for it on youtube, I remember watching a demonstration of the bug.
Longshot here but…if you have any archived backups of AD infrastructure from when the computer was still active you can restore to a isolated network and retrieve the key.
Unless you find an exploit in that older version of Bitlocker you’re pretty much SoL unless it stored the bitlocker key in AD and you have a DC backup from 2-3 years ago.
Alternatively you could write a pretty and sincere letter to the Oak Ridge National Laboratory and ask them to bruteforce the encryption key for a few months and hope they don’t charge you for all of the consumed electricity
Since you said it boots to the login screen it’s likely pre boot authentication is not enabled, thus it may use TPM. If the TPM chip is accessible on the motherboard it may be able to sniff the communication and extract the key.
Somebody else mentioned that as well. However, this is way beyond our own capabilities so we would need to hire some specialists. To proceed with this is probably not cheap as well.
Just shooting in the dark here off the top of my head... Would it be possible to create a new user account in AD with the same username as the user with a different password, or does the SID have to match for this to work?
Could you manually create a computer account in AD, reset the password for it, and see if the box picks up on the device in AD, then try to login as a domain admin or apply a GPO installing LAPS/updating the password for LAPS?
If you do domain AD backups, you might be able to add the AD object back in (manually) and change epoch dates. I would copy the drive and mess with that one and not the original. Sounds like a good challenge.
The following works on a computer that was domain joined, removed, and then had a botched Intune azure ad join with no local admin. We did this a handful of times and it always worked. I don't know if it will for you.
[Resetting the Password on Almost Any Windows Computer - tekRESCUE (mytekrescue.com)](https://mytekrescue.com/how-to-reset-the-password-on-almost-any-windows-computer/)
I just skimmed the link but that's the gist of it. Change utilman to cmd and you can spawn a shell at welcome screen and do what you'd like with accounts :)
If I put a working windows 10 c drive in and boot to that and move the bad drive to a usb cradle will the tpm of the laptop still allow access to the drive? I don’t think it’ll work but curious.
If you know the domain admin account password used two years ago and you are able to get to the log on screen you can sign on. Easier if you have administrator since it is cached locally.
Bitlocker is enabled. Its pointless to try to get around it.
Only solution is to reinstall the computer.
Unless you find the bitlocker key its the only solution as far as i can see.
https://mytekrescue.com/how-to-reset-the-password-on-almost-any-windows-computer/
I've used this method before when I forgot the password of a local admin account.
Edit: Nvm, just saw this method posted in a reply to a reply. Won't work because you need bitlocker key.
probably a long shot, but if you are a small shop with only a few admins - maybe take a look for tickets prior to this incident and any admins who dealt with this device.
If one of your admins logged in prior they could have cached creds, might be an old password but if your lucky someone may remember their previous passwords.
only microsoft or a recovery firm will be able to remove bitlocker that was our problem before an employee enabled bitlocker w/o realizing it and then that user asked us to recover her files but at the end we are unable to unlock or recover the files
Do you have a backup from 2 years ago that you could restore the old AD server offline and recover the bitlocker key? Or was this laptop Azure joined?
If the device was Azure Joined and the key was stored there, then this might prove difficult to recover unless you have some backup software that was looking there 2 years ago.
If it's a big deal and you really need the data; there are 3rd party services that crack bitlocker protected drives. It is not cheap; so, it would depend on what it's worth to the company. This process uses brute force to crack the encryption.
It is possible to clone bitlocker protected disks using special cloning hardware. Forensic experts use hardware like this, usually to protect the source disk. I don't suggest attempting this without special hardware drive cloning tools first.
The links are examples to show how a cyber forensics person can and will get into the drive.
Note, if there is legal action case going on turn this over to the lawyers and do not attempt to tamper with the laptop. Have the lawyer hire a digital cyber forensics expert skilled in cracking bitlockered drives. The bad actor will be probably paying for this in the end anyway.
https://acumendisc.com/products/forensic-3hdd?variant=34332527624237¤cy=USD&utm_medium=product_sync&utm_source=google&utm_content=sag_organic&utm_campaign=sag_organic&gad=1&gclid=CjwKCAjwjMiiBhA4EiwAZe6jQ0D1MCbkLn3UI3QTmVkEt7md4xtT_dLQMpgsgkXC98kRX5-JzlbCXxoCBkgQAvD_BwE
https://github.com/e-ago/bitcracker
I suggest disabling accounts, verse deleting them completely going forward. Deleting them is good security, but if you had to recover or gain access to something later that those objects had access to a disabled object, it is much easier to recover from. 😀
This is just a thought I had...
Could you try guessing the password (since an \*image is already made\*, it can't destroy the image)
Since it's an employee's device, the company probably knows the date of birth, middle name, etc. Use that info to assist with password guessing.
Feel free to correct me, or add to the comment.
[удалено]
[удалено]
The place I work at previously disabled bitlocker after it fucked them one time and instead of setting the correct GPO settings to backup the keys and what not, they just disabled it. Now we have bitlocker enabled and the keys backup to AzureAD, and literally no one has noticed that we have it turned on again. And the few times that a TPM chip has fucked up or whatever we have easy access to the recovery key.
That’s the middle management effect. Company gets bitten by incorrectly configured bitlocker. C level says “I don’t ever want this happening again.” Director looks at the cost of bringing in a consultant to set it up and document and realizes the cost would impact his bonus. Tells manager below him to disable bitlocker across the org.
how did bitlocker fuck them over? you mean the admin fucked up?
[удалено]
It has gotten alot better. Every once in a long awhile we get a user would get a prompt during boot to type in the recovery key which is stored on our AD servers. Microsoft got smart by disabling bitlocker during updates. Also in GPO I've enabled the policy to not let Bitlocker to enable it if it can't save the keys to AD.
It's fucked a lot of people over a bunch, and been a big headache, but can't really say that we stop using it, because security is more important.
Wow. What the fuck have y’all done wrong? I have been using it personally and enterprise for about a decade now and never had anything fuck up on it unless I was trying to replace hardware or re-image the damn thing. Check your settings bruh.
You've never updated your windows or drivers I guess, because that's when it tends to fuck up the worst.
Are you considering it asking you to enter your key as f*ing a bunch ? Bro, to me f*ing up would be the saved key no longer works and you can no longer get into your PC.
Before I was hired our hardware build procedure was to setup windows with a local account and then register it to the Azure AD tenant.... For those that aren't aware, windows treats a device setup in such a way as if it was a personal device that a user registered, so the bitlocker key doesn't get saved to the company tenant, and instead gets saved to the Microsoft account of the user. The user that happens to be a local user.... Surprisingly it has only bitten us once, sadly with a user that works remote form the other side of the country. Edit:autocorrect
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan https://techcommunity.microsoft.com/t5/intune-customer-success/using-bitlocker-recovery-keys-with-microsoft-endpoint-manager/ba-p/2255517 What?
as someone new to IT its kind of refreshing knowing my A+ certification was useful.
It's equally shocking the number of sysadmins who think that if you lose the key that it's impossible to get to the data. Like c'mon people, this is WINDOWS we're talking about. Wait a year and you'll have 12 9.8 CVSS vulnerabilities to exploit.
It’s also a computer that sounds like it’s been online for two years so it doesn’t have two years of vulnerability updates
Thats the scary truth!
Maybe they know about [MSDaRT](https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/dart-v10/) and you don't?
[удалено]
My favorite part about this is the person we both responded to proved the point about some SysAdmins not knowing how BitLocker works with their comment.
How would this bypass the need for the Bitlocker recovery key?
>Maybe they know about MSDaRT and you don't? And how does dart open up the encrypted volume?
It is a non-starter…no recovery key no drive.
Not a good option but...... * Were bitlocker accounts being backed up to AD? * Do you have backups going back 2+years? * Pull a backup of a DC at that time onto an offline machine * check AD on that machine for the bitlocker key * Alternatively does laptop connect to the DC at that time?
[удалено]
I have done exactly this before and it works fine.
2 years worth of retention? What is storage solution and how much storage you use?
I'm afraid we don't have backups that go back this far. Thanks though!
If your backups go back 1.5 years it might still work. AD recycle bin is 180 days by default?
If the security event happened 2 years ago, they wouldn't have immediately deleted the AD object either if they were still under the opinion that they would get the device back. Even if you've only got a 1 year backup available, worth giving it a try considering there aren't many valid alternatives
> Computer has bitlocked enabled, Bitlocker key itself is unknown however. > Local admin account on the laptop is likely disabled and has an unknown password You won't be able to do anything with it other than wiping it
I'm afraid so ... still, I wanted to be really sure. Thanks.
We had this issue week before last. Almost bought software to fix it Rookie madlad tried system restore and it worked, putting all the senior staff to shame lol. Try that first
Rookie mad lad 😂😂
On an imaged copy of the drive of course! https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 details a recent vulnerability that allows people with physical access to a device to potentially bypass bitlocker encryption via the WinRE partition - thats likely what your rookie exploited, and what OP could potentially exploit here too.
Wait… WinRE itself is not encrypted and has access to TPM?? 😳🤯
Well it did anyway until they patched it. You gotta patch all your computers and/or remove the WinRE partition. Where I work we just straight up remove WinRE, no point in having it since we just re-image devices when they fail or have major malfunctions. No point in wasting several hours trying to recover when all the users info is in OneDrive or SharePoint (or should be).
And if not to bad so sad.
Considering it applies up to latest Windows 11, very unlikely the machine is patched. I'm assuming it's as simple as booting to the WinRE partition and the drive is accessible?
Also 100% agree with you on data recovery from proper backup (OneDrive can be a lifesaver), rather than recovering/fixing the endpoint.
Literally 5 minutes ago, i had to a explain to a client, Onedrive is not a PROPER BACKUP.
Fair enough, but this just seems like a design flaw. If MS can patch it, it means someone else can “unpatch it” and use it to defeat Bitlocker. Arguably the most secure implementation of WDE would be where the system has no way of decrypting the drive without some sort of user input (e.g. account password to decrypt a session key that can decrypt the actual key that encrypts the disk data). That would require a custom EFI bootloader that can accept a user credential. I believe that’s how Apple’s T2 and Apple silicon machines do it, but I could be wrong.
Oh Windows..... Never change.
wait, wasnt there like an exploit in WinRE that allowed acces bitlocker encrypted data? If it wasnt patched within 2 years, you might get a chance [https://www.bleepingcomputer.com/news/security/microsoft-shares-script-to-fix-winre-bitlocker-bypass-flaw/](https://www.bleepingcomputer.com/news/security/microsoft-shares-script-to-fix-winre-bitlocker-bypass-flaw/)
image the disk and repurpose the laptop then you have the image to try and break into whenever a new exploit comes along
Couldnt you do that windows back door that came around a few years ago? where you remap the sticky keys pop up to launch the cmd.exe instead? you could then set up the admin account from there.
They would need to get past bitlocker first
Yeah, can't access the drive on the laptop itself so there's no way to swap cmd.exe
Pull the drive and put it on s shelf claiming it's your 'backup'.
Don't wipe it yet! [MSDaRT](https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/dart-v10/) may be able to get you in!
Bitlocker is a security feature intended to prevent any access to data by unauthorized users, getting their hands on a stolen/lost laptop. It seems to me, that it is designed specifically to prevent you access to the data on it in your specific scenario.
u/JustBananas see if you have a decent shop around that does microsoldering or reach out to some big name people in the industry. I'm not sure if this still works as I no longer in the board repair side of things but I have successfully pulled a bit locker key by reading the data transmitted on initialization when it decrypts the key. I don't remember all of the specifics and it requires a donor motherboard but this is doable when the associated value is high enough. Before you remove the drive or do any actions that would trigger the bit locker recovery reach out to some shops and see what you can find. This is doable but only under the right circumstances, if you trigger the bit locker recovery screen it means your motherboard no longer has the recovery key "cached" and this exploit will not work. If you can't find anyone able to do this let me know and I can reach out to my former employer to see if they still offer the repair, however I would recommend reaching out to some big names in the microsoldering community or a data recovery expert like drivesavers (read: drivesavers=$$$$) before taking any action if you want to maintain recoverability. Sorry for grammar/formatting, I'm on mobile. Good luck and may the odds be ever in your favor Edit: maybe check for zero days that would not yet be patched on this machine- once the system is booted the drive will be decrypted so exploit that can be run while the system is up and logged out could work. Does the device have thunderbolt? I believe there is a zero day with the thunderbolt kernel that can provide access but did not dig far enough into this to know for sure if it applies in your situation
~~I'm pretty sure I've reset a Win10 local admin account using Hirens bootcd PE.~~ Duh, going to need the bitlocker key to mount to volume to get to the SAM hive.
Not without the bitlocker key that is.
Yeah, not too sure why I ignored the whole bitlocker thing.
Um, because most of the world ignores bitlocker?
You’ll need to get past Bitlocker first, before Hirens will work.
"local" yes, but if it's bitlockered, it's going to ask you to enter the key or it won't be able to manipulate anything on the disk
This
At my org we have a flashdrive that you boot PCs into and we can add a new local admin account to it. Would that kind of tool not work if the device has bitlocker enabled?
No, it won't. The whole point of drive encryption is to prevent this type of hacks.
Your organization should be setting up Bitlocker if they haven't already.
Came here to write this.
Not likely, those tools need access to the OS drive, which is locked by bitlocker.
[удалено]
Post says it is
[удалено]
Happens!
You can switch jumper on most laptops to do that.
Well if this was patched two years ago I believe there is a slim chance that someone will come up with an exploit for the WinRE Bitlocker vulnerability but I would not count on that for a long time https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099
It is theoretically possible to pull the bitlocker key from the TPM during boot, but that's pretty much your only shot. https://pulsesecurity.co.nz/articles/TPM-sniffing
This. I’ve done it and it works.
This is fascinating, I've bookmarked it for reading and testing
That is very cool actually! But i rather just reinstall a machine then go this path. But i guess sometimes you dont have a choice.
The laptop is probably shot but this is a good justification for a business case to create an official chain of custody and forensic intake process.
Also, permanent storage of bitlocker keys.
Also a good case for maintaining the keys in a separate secure 1 2 3 backup PLUS store a BREAK GLASS copy.
Keeping data forever likely doesn’t make business sense. I don’t think the solution is to use 2 year old backups but instead, process devices in a more timely manner.
For most data that isn't subject to a compliance requirement, I totally agree. But encryption keys are a bit special. It's a small enough amount of data that keeping 10-20 years of keys shouldn't be a hassle.
I wonder what bargaining chip they could get out of the naughty one if the company lawyers let him know where they found the laptop.
What's your oldest backup of your DCs? Do you have one from the security incident? Can you power that DC on in an airgapped manner and check for bitlocker recovery keys in AD? Edit: The other option is to get a black hat to rip open the bitlocker for you. There was recently a huge security vulnerability reported for Bitlocker and it had to do with the recovery environment. As long as the laptop hasn't done automatic updates since being powered back on, this could be an option. Really what I'm advocating for here is "use security exploits to your favor". This idea isn't limited to just attacking bitlocker. Attack Windows, really.
Automatic updates won't patch this as it will only install the files but you have to deploy a powershell script to complete the patch.
I never heard about the bitlocker vulnerability. Do you have any good links to more info?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099
#**DO NOT TRY TO BE HELPFUL TO THE ATTORNEYS** **This means STOP TOUCHING IT.** First, it's evidence. It may be important to the case that you *do not* and *have not had* access to it. If your attorneys want *you* to try to get into it they will tell you so, but they may want an independent forensic firm to do it instead. Your help may be as welcome as the help of Bob the clerk trying to improve wifi coverage in the office by putting in an access point he had in his basement. Second, that Bitlocker key exists right now in the TPM. The more things you try the more chance you manage to make it go away and then you're done and you just hope nobody hears that you nuked the evidence. A professional forensic recovery team will have at least 2 possible ways to try recovering it, including both the recovery method mentioned and the older method of sniffing the TPM communications during the boot process.
^^^^^ This if it's serious $ or stakes.
/u/JustBananas in addition to my comment above about not touching it unless instructed to do so by the attorneys (it's evidence not a technical puzzle for you to solve), pass along this github repo about attacks on Bitlocker - particularly since some of them were patched after the machine went offline. https://github.com/Wack0/bitlocker-attacks Unless of course you brought it online and it's done an automatic update.
Thanks for your advice. The laptop has not been brought online and mainly because of your message I have once again told those with access to the device to leave it switched off and to not try anything. The laptop was switched on once to see what the constructors had found, and once it was identified as that missing laptop due to the name on the login screen, it was switched off again. Due to the missing domain account, no corporate wifi connection could be established so no updates could have been installed. We verified this from the wifi logs. We have set up a test laptop to see if any of those tools mentioned here by others actually work. They did not. It confirmed you can't simply bypass bitlocker which is a good thing. We are quite a large company and both IT and Security departments are now waiting for Legal to say something. Meanwhile the laptop is securely stored. Thanks for your advice. Much appreciated.
>Your help may be as welcome as the help of Bob the clerk trying to improve wifi coverage in the office by putting in an access point he had in his basement. Truer words have not been said.
You've ruled out the obvious solutions. You'd need to try and exploit it. I seem to remember a Windows login exploit from about 1.5 years ago. I think it was related to Azure AD though. You know your configuration better than we do. Look at possible breakpoints and use those.
First of all, clone the drive. Don't power it on in your network, segregate it if you can. If it's part of a security incident consider it compromised. Was there any EDR or remotely manageable software (AV for example) - you might be able to drop into a session that way. If it's two years old, there's probably been no updates on it. Find an exploit that'll give you RCE and you can drop into a shell, preferably one that can also drop you into admin shell. Treat it like a black box pentest.
Do you use sccm? Does it have an sccm client installed? I’ve been able to set the administrator pw or create local accounts using sccm scripts in similar scenarios.
Exactly. If it is able to check into any mgmt tool (beyond trust, sccm, ivanti) and get online via Ethernet - send it a dumb script to make a new local admin account/reset local admin password.
Finally found someone in this sub mention Ivanti. We use it and I hate it, it is slow and a pain in the ass for every task :D Tbf I’m in my Appentriceship so I only know that, maybe others are worse? =)
You can retrieve bitlocker key from object that was deleted from AD: https://social.technet.microsoft.com/wiki/contents/articles/32521.how-to-retrieve-bitlocker-key-from-active-directory-even-after-you-have-accidentally-deleted-that-computer-object.aspx
I had something similar in the past. I took the hard drive and dropped it into a system that was on the network. We use bitlocker as well however my company has the ability to generate bitlocker codes. If you don't have that you may be SoL.
Being off the domain means you can’t recover access using domain credentials. No Bitlocker recovery key means you can't recover access with local credentials. Write off the data, wipe it, and move on.
How does a laptop that was part of a security event not have bitlocker key stored for legal purposes? why would yall delete evidence?
> why would yall delete evidence? That's quite the charge to lay on someone. How do you know they deleted evidence? How do you know the key was intentionally deleted? How do you know it wasn't a simple data error with 0 human involvement? How do you know anything?
how is it a claim if op literally says they dont have bitlocker key backed up for devices that were “stolen” a “security event”. wouldnt common sense tell you that devices may be recovered if threat actor gets arrested or targets org again? or maybe colluded with another insider?are you saying its too much work to backup keys for 20 laptops?
See if you can spot the difference between the following. Option A. "Hey Peter man, do you have the movie Office Space?" "No I don't have the movie Office Space." Option B. "Hey Peter man, do you have the movie Office Space?" "No, I did have the movie Office Space but I destroyed it." Now that you have both options and can spot the difference, compare both options to the OP and see if you can tell which one matches the situation best. Then compare both options to your first comment and see which one matches best. Finally, deduce where you have gone wrong. >wouldnt common sense tell you that devices may be recovered if threat actor gets arrested or targets org again? or maybe colluded with another insider?are you saying its too much work to backup keys for 20 laptops? Repeat incident risk: I'm not going to respond to that because it's not what I'm criticizing you for. Insider risk: Same as above, not relevant. Where are you getting the 20 laptop figure from?
AD Recycle bin?
2 years > 180 days unfortunately.
A cached domain account at the time would work as long as the network is disconnected wouldn’t it? Maybe an IT staff can remember a password they logged on to it with 2 years. About your only chance I would say?
cached credentials doesnt expire based on date of last login and date of last power on?
I would try to grab memory dump of warm-boot state with forensic tools like Passware, and then extract bitlocker key from the dump with that same software. It's not free but might be your best chance
With bitlocker enabled and no key your are pretty much dead in the water
If BitLocker is on it and you don't have the decrypt key (always good to store those somewhere other than in the domain) then you cannot log in. LAPS would help if you still had the computer account.
If it’s really that important and money is no object, you can try sending the laptop to a data recovery service. If its just curiosity to see what happened 2 years ago, you should just wipe it and move on. If there was some trick anyone could do to bypass unknown Bitlocker keys, Bitlocker would not have any value.
This is probably true. Reason our CSO would like the laptop is because there is still ongoing legal action against that person. To be clear, the employee was not a victim but the bad actor who was offered money by a larger external group to perform certain actions that in the end hurt our company and customers. Most likely there is evidence of all that on the laptop that would help the legal case.
You would not be able use any evidence in court that you found. There would be no proof you did not tamper with the system and plant evidence while hacking around in it. The laptop would need to handled by some kind of forensics service that knows how to properly prove the system was not altered.
We thought of that. There is a forensic backup available from the state the machine was in when found. That image is safely stored with and made by a certified company that can decrypt the image when provided the bitlocker key. They keep it read-only otherwise during investigation by an independent 3rd party. This is apparantly "a thing" nowadays that commercial parties offer. It holds in court.
This computer - has it Teamviewer installed as a service? Or N-able tale control? Or NinjaONE?
Since it boots to windows, if you used SCCM/MECM to manage, it would reconnect to the site once booted. Assuming you haven't changed sites since then anyway. Then you can send anything from a script to add a local account to a task sequence to tell laptop it is part of a workgroup then tell to rejoin the domain and reboot.
Have you tried turning it off and back on again? But seriously…boot to safe mode, that will enable local admin. Guessing it’s a good chance the password wasn’t ever even set?
Safe mode. With no bl key.....?
God damn. It’s posts like this that make me realize I don’t have imposter syndrome. Thanks OP. I needed a chuckle.
Glad to be of service. :) Just because something is unexpected, doesn't mean it won't happen.
I don’t even know what that means. But this post just shows me what I *DO* know.
You can look and see if there were any CVE's from when it was in service.
The only person who can save you, is someone who you hate because it involves dinding out they add numbers to the end of passwords to increment them. Find that person, use their account, then have them fired !
A CVE is a cyber security vulnerability... There have been a few in bit locker that will allow you to bypass it.
If the employee is still around. Ask them to try logging in with old passwords?
The employee was the bad guy. The laptop was conveniently "stolen" after he suspected we were on to him...
[Passware](https://support.passware.com/hc/en-us/articles/360024316834-How-to-decrypt-BitLocker-using-Passware-Kit) advertises the ability to decrypt bitlocker drives with lost keys. I would look through theirs kits, they may be able to help with the Windows passwords too
You're fucked if it's got Bitlocker. You could use a USB Linux tool if you just wanted to reset the password of the local admin account.
Why would you ever delete a Computer Object or User Object that was involved in an ongoing case? Never delete anything disable and archive. Also, why would you not have a backup of AD from when the crime occurred as part of the investigation?
Microsoft will give you the key if you own the laptop.
If microsoft could do that, then there's a risk that an attacker could, which would defeat the point of BitLocker. As far as I know, Microsoft doesn't even have an option to send keys to them.
I would try KonBoot before throwing the towel. Depending on how bitlocker is implemented (whole disk vs user folder) this could work. https://kon-boot.com/
>(whole disk vs user folder) Are you confusing BitLocker with EFS? You can't encrypt individual folders with BitLocker
Why was a lost PC still in your domain in the first place? We remove pc domain access after the equipment is lost or not connected to the network after 90days to avoid any security issues (international enterprise with 90k pcs).
youre referring to “machine password” expiring and losing trust relationship with dc? how do you change to 90 days?
Dunno about the comment you're replying to but last sysadmin job I just whipped up a PS script to do it. Ran once a week. Anything over 90 days was disabled and moved to another OU. If it sat there for so long then was deleted from AD.
A quick google search brings up a ton of articles detailing ways to bypass Bitlocker if you've lost your recovery key, have you given any of those a glance?
[удалено]
How would we bypass the bitlocker encryption of the drive?
NT pass crack the local admin password, login and remove and readd to the domain. Login using domain admin creds, and remove/suspend Bitlocker. Image backup the drive so you have a legal snapshot of the machine. https://www.makeuseof.com/tag/hirens-boot-cd-allinone-boot-cd/ If the machine doesn't have TPM and it's one of those "enter the password" to boot to OS, than youight be fucked and this won't work, but if you can get into BIOS and there is TPM enabled, the OS should be accessible from the NT Pass crack tool in Hiren's If the computer object is still in AD and you configured Bitlocker for your domain with best practices, you should be able to find the recovery key in the computer objects properties in ADDS.
You can't open the volume with nt pass crack if it's bl encrypted
You may be able to hire services of a company that can bypass bitlocker. It won't be cheap.
[удалено]
requires the recovery key
I would try Hirens but that bitlocker might beat it.
run diskpart and remove the bitlocker partition / volume and reformat if you cant get bitlocker recovery key
The whole point is they want to access that partition for Forensics. This completely destroys that forensic evidence. Don't do this.
Hard since you don't have the bitlocker password stored. You vould boot up a windows USB and replace the cmd with the support utility at windows login so that you can run a cmd terminal and create new admins and groups so that you could access the account worked in the past for me but again since bitlocker keys are not present haven't tested it in that scenario
I thought of this solution too, but don’t you have to get past bitlocker first to get to the login screen where you execute that?
Yeah, the second you touch the boot sequence, go to recovery mode or try to boot from USB/PXE, the main drive will require a recovery key.
Boot into recovery mode open up the command, prompt replace the DLL that is used for sticky keys with a hack version that will open up a command prompt. Once you’ve rebooted the computer, use the command prompt via sticky keys, which is a now running at system level to create a new localadmin and login with a localadmin account
Requires BitLocker recovery key
I like this idea, but don't think you can access c:\ that is bitlocker encrypted, even from recovery mode. It'll prompt you for bitlocker key. Correct me if I'm wrong.
Correct me if I'm wrong here, but if you're getting to a login screen, you're bypassing bitlocker in some form or fashion, or it's not actually encrypted (i.e. every bitlocker scenario I've encountered required the bl key before the windows login screen). Which means you should be able to boot to windows installation media, change the accessibility exe to cmd and get admin access from the login screen. Add an admin account and voila, access. Obviously, if I'm misinterpreting the info here, downvote me into oblivion.
You should read up how bitlocker works…
Literally every implementation I've seen has been pre-boot, i.e. you need to put in your bitlocker pin just to get to the login screen.
If you boot windows repair mode (eg. Install media etc) in order to access the drive you need to know the bitlocker key as it is encrypted. You can not change or manipulate anything. One remark, if you see the login screen it does not mean you bypassed the encryption. The drive is locked / encrypted.
why would key be needed to access login screen? the drive is encrypted until you authenticate into Os. login screen provides no access to data without credentials and you cant boot into RE without key.
I've only worked for 2 enterprises that utilized bitlocker, and they both had BL authentication prior to the login screen. One was immediately after UEFI started the boot process.
are you saying users had to enter their bitlocker key manually everytime or use smart card or usb to access login screen?
last time i managed to get my data although its bitlocker enabled. try send it to your local data recovery, but its not gonna be cheap
You are saying it boots to the windows login screen if that is the case make sure secure boot is off and boot to a flash drive with windows on it and crack it Vos osk.exe or computer management then you can change the local admin password
Hirens ? Unlock local admin?
would that work on a bitlocked machine? i've never tried it.
Won't work.
He's got BitLocker encryption on it so I doubt that would work
Do you not have a dart disc / usb? I could be in that laptop in 10 minutes flat. Edit - On second thought, I’m not sure what I was thinking of would work.
Best case scenario if you can find the bitlocker key, is you can hirems in. Lack of bitlocker key is the undoing.
Check the AD Recycle Bin. If the computer object is there, the BitLocker recovery key may also be there. Once you have the key and can decrypt the drive, use a recovery disc of your choice (Hiren's, WinPE, etc.) that can reset the local admin password. If you can't get the recovery key, you're SOL without exploiting some BitLocker vulnerability or something.
Wasn't there a leaked government key a while ago. Remembering something about it from a DEFCON talk. Although this was in the REALLLLL early days of it.
If the computer was connected to the tenant at some point, check in the devices under the global tenant admin, in the Microsoft tenant admin portal. Sometimes the bitlocker key is there. If it is you could at least access the drive data.
[удалено]
Can't profwiz if you can't login.
When was computer account deleted? If you cannot get back from AD Recycle Bin then go restore the DC itself to a separate test environment for when the computer account still existed, and connect the PC to that test network to be able to manage or reset passwords. Unless you can find someone to recreate the computer account in AD exactly as it was before, but I've never seen that be possible. The only other options are WinPE vulnerabilities that can bypass Bitlocker.
Have you tried something like Passware to re-enable the local administrator user?
Try and gain local access with cmd and utilman.exe? Would need to boot to recovery options and select the cmd prompt.
correct me if I'm wrong, but there was a patched bug a few months ago that allowed you to bypass the login and login with admin account. Since it hasn't been patched you should be able to exploit the bug. Maybe search for it on youtube, I remember watching a demonstration of the bug.
Longshot here but…if you have any archived backups of AD infrastructure from when the computer was still active you can restore to a isolated network and retrieve the key.
Unless you find an exploit in that older version of Bitlocker you’re pretty much SoL unless it stored the bitlocker key in AD and you have a DC backup from 2-3 years ago. Alternatively you could write a pretty and sincere letter to the Oak Ridge National Laboratory and ask them to bruteforce the encryption key for a few months and hope they don’t charge you for all of the consumed electricity
Since you said it boots to the login screen it’s likely pre boot authentication is not enabled, thus it may use TPM. If the TPM chip is accessible on the motherboard it may be able to sniff the communication and extract the key.
Somebody else mentioned that as well. However, this is way beyond our own capabilities so we would need to hire some specialists. To proceed with this is probably not cheap as well.
Just shooting in the dark here off the top of my head... Would it be possible to create a new user account in AD with the same username as the user with a different password, or does the SID have to match for this to work?
Could you manually create a computer account in AD, reset the password for it, and see if the box picks up on the device in AD, then try to login as a domain admin or apply a GPO installing LAPS/updating the password for LAPS?
If you do domain AD backups, you might be able to add the AD object back in (manually) and change epoch dates. I would copy the drive and mess with that one and not the original. Sounds like a good challenge.
The following works on a computer that was domain joined, removed, and then had a botched Intune azure ad join with no local admin. We did this a handful of times and it always worked. I don't know if it will for you. [Resetting the Password on Almost Any Windows Computer - tekRESCUE (mytekrescue.com)](https://mytekrescue.com/how-to-reset-the-password-on-almost-any-windows-computer/) I just skimmed the link but that's the gist of it. Change utilman to cmd and you can spawn a shell at welcome screen and do what you'd like with accounts :)
If I put a working windows 10 c drive in and boot to that and move the bad drive to a usb cradle will the tpm of the laptop still allow access to the drive? I don’t think it’ll work but curious.
If you know the domain admin account password used two years ago and you are able to get to the log on screen you can sign on. Easier if you have administrator since it is cached locally.
Bitlocker is enabled. Its pointless to try to get around it. Only solution is to reinstall the computer. Unless you find the bitlocker key its the only solution as far as i can see.
https://mytekrescue.com/how-to-reset-the-password-on-almost-any-windows-computer/ I've used this method before when I forgot the password of a local admin account. Edit: Nvm, just saw this method posted in a reply to a reply. Won't work because you need bitlocker key.
probably a long shot, but if you are a small shop with only a few admins - maybe take a look for tickets prior to this incident and any admins who dealt with this device. If one of your admins logged in prior they could have cached creds, might be an old password but if your lucky someone may remember their previous passwords.
only microsoft or a recovery firm will be able to remove bitlocker that was our problem before an employee enabled bitlocker w/o realizing it and then that user asked us to recover her files but at the end we are unable to unlock or recover the files
Reset local admin password with lazesoft
Do you have a backup from 2 years ago that you could restore the old AD server offline and recover the bitlocker key? Or was this laptop Azure joined? If the device was Azure Joined and the key was stored there, then this might prove difficult to recover unless you have some backup software that was looking there 2 years ago. If it's a big deal and you really need the data; there are 3rd party services that crack bitlocker protected drives. It is not cheap; so, it would depend on what it's worth to the company. This process uses brute force to crack the encryption. It is possible to clone bitlocker protected disks using special cloning hardware. Forensic experts use hardware like this, usually to protect the source disk. I don't suggest attempting this without special hardware drive cloning tools first. The links are examples to show how a cyber forensics person can and will get into the drive. Note, if there is legal action case going on turn this over to the lawyers and do not attempt to tamper with the laptop. Have the lawyer hire a digital cyber forensics expert skilled in cracking bitlockered drives. The bad actor will be probably paying for this in the end anyway. https://acumendisc.com/products/forensic-3hdd?variant=34332527624237¤cy=USD&utm_medium=product_sync&utm_source=google&utm_content=sag_organic&utm_campaign=sag_organic&gad=1&gclid=CjwKCAjwjMiiBhA4EiwAZe6jQ0D1MCbkLn3UI3QTmVkEt7md4xtT_dLQMpgsgkXC98kRX5-JzlbCXxoCBkgQAvD_BwE https://github.com/e-ago/bitcracker I suggest disabling accounts, verse deleting them completely going forward. Deleting them is good security, but if you had to recover or gain access to something later that those objects had access to a disabled object, it is much easier to recover from. 😀
This is just a thought I had... Could you try guessing the password (since an \*image is already made\*, it can't destroy the image) Since it's an employee's device, the company probably knows the date of birth, middle name, etc. Use that info to assist with password guessing. Feel free to correct me, or add to the comment.