I have a Windows 10 Pro PC, no domain, I don't use BitLocker on the system drive but have encrypted some fixed data drives using BitLocker and a password (no TPM).
When I like to unlock these drives I can select them in File Explorer and choose Unlock Drive...
, after entering my password the drive is decrypted and I can use it.
Because I have a few of these drives with the same password I wrote a script to unlock all them at the same time.
Unlock-BitLocker -MountPoint X: -Password $myPassword
This works fine when executed as an elevated administrator, but when I run the script as my normal standard user it fails:
Get-CimInstance : Access denied
WBEM_E_ACCESS_DENIED (0x80041003) Current user does not have permission to perform the action.
I assume both File Explorer and the PowerShell BitLocker module use the same Win32 API, why does one work as a standard user and the other one doesn't?
When using:
manage-bde –unlock E: -rp password
I get:
BitLocker Drive Encryption: Configuration Tool version 10.0.14393
ERROR: An attempt to access a required resource was denied.
Check that you have administrative rights on the computer.
Using Process Monitor, I can see access is denied to the following registry key:
HKLM\Software\Microsoft\WBEM\CIMOM
I also found out the File Explorer content menu calls the executable:
%systemroot%\System32\bdeunlock.exe
which displays the little popup window to enter the password.
When using bdeunlock.exe
no access to HKLM\Software\Microsoft\WBEM\CIMOM
is shown in Process Monitor. So it seems it unlocks the drive without accessing that key.
It looks that both the PowerShell cmdlets and manage-bde.exe
use WMI:
Get-CimInstance
-Namespace "root\cimv2\Security\MicrosoftVolumeEncryption"
-ClassName Win32_EncryptableVolume
and a standard user does not have access to this.
But bdeunlock.exe
may use the function FveOpenVolumeW
in FVEAPI.dll
(Bitlocker API file) directly without using WMI first.
Is there a way to unlock a Bitlocked fixed data drive on the command line as a standard user?
Unlock-Bitlocker
are the same how they go about doing it is different.Unlock-BitLocker
but in the end it runs the same cmdlet, and it gives me the sameAccess Denied
error.