![]() ![]() Using the Unlock-Bitlocker cmdlet in PowerShell now gets passed the previous error, but displays another one:Īccess Denied in Get-BitLockerVolumeInternal. The problem is, this prompts the user for the password and I have four drives to unlock at this time and I would prefer to enter the password only once. Check the Allow Execute Methods permission.Īfter this has been done, the standard user can use the manage-bde.exe tool to unlock the drive: manage-bde -unlock X: -pw Add a group or user you want to allow unlocking the bitlocked drives. Select the Security tab and then find the object Root\CIMV2\Security\MicrosoftVolumeEncryption, click the Security button. I get an Access suggested to change the security on the WIM object in question, to do that, open wmimgmt.msc, right click on the WMI Control (Local) node on the left and click Properties. Namespace "root\cimv2\Security\MicrosoftVolumeEncryption" ` The first error during the execution of the cmdlet happens while calling: Get-CimInstance Using the PowerShell cmdlet Unlock-Bitlocker because its code is available in clear-text on every Windows machine. Authorize WMI users and set permissionsĬontinuing my research I explained in the question itself, I further looked into this.Lower right-hand side of the properties windows and add in the userĪccount or security groups accordingly, and also grant and set the There you will select the Security option from the Once you have the applicable WMI Namespace object highlighted, from Security tab from the properties windows and then expand the Root to namespace to the specific WMI namespace object(s) you need to grant the access to explicitly. Right-click on the WMI Control (Local) option to the left, and then select This way you do not need to give the account local admin or elevated permissions, and they'd just have the exact and explicit access they need to the correlated WMI namespaces as needed and nothing further-minimum necessary permissions to perform the operation. ![]() ![]() You could grant the standard user or a security group they are a member of the explicit access to the WMI object per the path as you found from wmimgmt.msc. Is there a way to unlock a Bitlocked fixed data drive on the command line as a standard user? Namespace "root\cimv2\Security\MicrosoftVolumeEncryption"Īnd a standard user does not have access to this.īut bdeunlock.exe may use the function FveOpenVolumeW in FVEAPI.dll (Bitlocker API file) directly without using WMI first. It looks that both the PowerShell cmdlets and manage-bde.exe use WMI: Get-CimInstance ![]() So it seems it unlocks the drive without accessing that key. When using bdeunlock.exe no access to HKLM\Software\Microsoft\WBEM\CIMOM is shown in Process Monitor. Which displays the little popup window to enter the password. I also found out the File Explorer content menu calls the executable: %systemroot%\System32\bdeunlock.exe Using Process Monitor, I can see access is denied to the following registry key: HKLM\Software\Microsoft\WBEM\CIMOM I get: BitLocker Drive Encryption: Configuration Tool version 3ĮRROR: An attempt to access a required resource was denied.Ĭheck that you have administrative rights on the computer. When using: manage-bde –unlock E: -rp password I assume both File Explorer and the PowerShell BitLocker module use the same Win32 API, why does one work as a standard user and the other one doesn't? WBEM_E_ACCESS_DENIED (0x80041003) Current user does not have permission to perform the action. This works fine when executed as an elevated administrator, but when I run the script as my normal standard user it fails: Unlock-BitLocker -MountPoint X: -Password $myPassword When I like to unlock these drives I can select them in File Explorer and choose Unlock Drive., after entering my password the drive is decrypted and I can use it.īecause I have a few of these drives with the same password I wrote a script to unlock all them at the same time. I have a Windows 10 Pro PC, no domain, I don't use BitLocker on the system drive but have encrypted some fixed data drives using BitLocker and a password (no TPM). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |