Bitlocker stopping windows password reset

[lan101]

Is there a way to reset a windows password with bitlocker being on?

That appears to stop any reset programs from working. So I guess granted it's doing it's job so maybe they're fooked lol.

No command prompts to turn off bitlocker seem to work for me. We have the bitlocker key and all that it's just resetting a windows password.

Of course no windows password reset disk or usb was ever made because that's never the case.

I've also tried adding another user via command prompt and that fails as well...so it's like I can't do anything that I'm used to being able to do without bitlocker.

Thank you.

 

[phaZed]

"fooked" is the word.

 

[lan101]

The word of the day lol.

I didn't realize command prompt doesn't help in these situations with bitlocker on. Learn something everyday I guess lol.

 

[Larry Sabo]

I guess I'm not understanding this. The customer forgets their password, or is this an orphaned laptop that's trying to be "adopted?" If you change the password using their MS account online, does that allow access (assuming the laptop is connected to the internet when you try)? I've never tried it and am curious.

You have the Bitlocker recovery key, so why not decrypt the drive then re-install it in the laptop and use password-change tools? I think all you can do at that point is use PCUnlocker to convert it to a local account.

 

[frase]

If they have access to their MSA they may be able to get key from there.

 

[Sky-Knight]

The entire purpose of encryption is to prevent unauthorized modification of the encrypted files. The file in question being c:\windows\system32\sam.

So no, you aren't going to be resetting any local passwords on a disk fully encrypted. It's stopping you from doing the thing it was literally designed to stop.

I suspect what you'd have to do is attach the disk to another Windows machine, use the recovery key to gain access to the disk, decrypt the disk entirely... then use your tool to reset the SAM file.

 

[lan101]

It's just a local account in windows 10. NOT a MS account. The normal reset password programs I have won't access the registry or something that it needs to reset the password. It just tells me the drive is encrypted with bitlocker and it won't reset it.

 

[lan101]

The entire purpose of encryption is to prevent unauthorized modification of the encrypted files. The file in question being c:\windows\system32\sam.

So no, you aren't going to be resetting any local passwords on a disk fully encrypted. It's stopping you from doing the thing it was literally designed to stop.

I suspect what you'd have to do is attach the disk to another Windows machine, use the recovery key to gain access to the disk, decrypt the disk entirely... then use your tool to reset the SAM file.

Ok that was my next thought process...we'll give that a shot and go from there. Thank you.

 

[britechguy]

Here's another case where, based on the original description, a local account versus a Microsoft Account linked Windows user account was used.

You can always change your password on the corresponding Microsoft Account, when a linked Windows account is used, and the change propagates down to the machine the first time you enter the new one. Until you do, it will keep accepting the old one as it's cached (in encrypted form) locally.

 

[frase]

How can it be encrypted without a MSA account? I thought that is not possible.

 

[britechguy]

How can it be encrypted without a MSA account? I thought that is not possible.

Device encryption is definitely possible sans an MS Account. Most of the nightmares arise when something goes wrong, and there is no record, anywhere, of the encryption key.

 

[lan101]

How can it be encrypted without a MSA account? I thought that is not possible.

It was setup where they are just using a password for it...it's an older dell optiplex 3020 series so bitlocker is basically just an extra password in the beginning.

I'm decrypting drive now so hopefully I'll know tomorrow if the password reset for windows will work. I think it will.

 

[Sky-Knight]

If it's got a boot pin, you'll have to do something like this too: manage-bde -protectors -disable c:

 

[lan101]

If it's got a boot pin, you'll have to do something like this too: manage-bde -protectors -disable c:

Thanks for the heads up.

 

[frase]

If it's got a boot pin, you'll have to do something like this too: manage-bde -protectors -disable c:

Where does one enter that command via a PE or through recovery mode?

 

[Sky-Knight]

Where does one enter that command via a PE or through recovery mode?

Any Windows based command prompt that has write access to the volume in question.

Recovery can do it, though it's more annoying than removing the disk, attaching it to another machine, using the recovery key to import the volume, then using an elevated command prompt there.

manage-bde -off c: disables bitlocker on the C volume.
manage-bde -protectors -disable c: disables the boot pin, and password lock configurations if enabled, again on the C volume.

The former SHOULD imply the latter, but may not in some cases.

 

[lan101]

The entire purpose of encryption is to prevent unauthorized modification of the encrypted files. The file in question being c:\windows\system32\sam.

So no, you aren't going to be resetting any local passwords on a disk fully encrypted. It's stopping you from doing the thing it was literally designed to stop.

I suspect what you'd have to do is attach the disk to another Windows machine, use the recovery key to gain access to the disk, decrypt the disk entirely... then use your tool to reset the SAM file.

That ended up working. I just hooked up the encrypted drive to another pc and was able to disable bitlocker. I didn't have to run any commands afterwards. I put the drive back in the original pc and was able to reset the windows password. Thank you again.

 

[britechguy]

I put the drive back in the original pc and was able to reset the windows password.

So, did you re-enable device encryption afterward? I certainly wouldn't have, particularly with a local-only Windows account. Just curious.

 

[Sky-Knight]

That ended up working. I just hooked up the encrypted drive to another pc and was able to disable bitlocker. I didn't have to run any commands afterwards. I put the drive back in the original pc and was able to reset the windows password. Thank you again.

Excellent!

One more tech wise in the ways of bitlocker recovery done right!

Given the behavior I was afraid someone setup disk encryption, that's a whole other mess! And honestly, that's the stuff that scares me. Bitlocker works pretty well, as long as the user didn't lose their accounts!

Also, for anyone managing a fleet if your SMB has M365 join the machines to the directory! You don't need anything but Basic / Standard to do this, and if you do Entra ID will start collecting Bitlocker keys. The catch however, is it will only pull the data when the user's login, so the user will need to be logging in with their M365 identity. This is usually a good thing, because now the M365 password is the machine's password for the user and helps manage that support situation. The bad news is, assuming you're MFA'ing M365 correctly now you aren't logging into that machine as that user to do jack anymore... not without logging the password / pin, and / or enrolling an MFA token on each user's account. So plan accordingly.

 

[nlinecomputers]

The entire purpose of encryption is to prevent unauthorized modification of the encrypted files. The file in question being c:\windows\system32\sam.

So no, you aren't going to be resetting any local passwords on a disk fully encrypted. It's stopping you from doing the thing it was literally designed to stop.

I suspect what you'd have to do is attach the disk to another Windows machine, use the recovery key to gain access to the disk, decrypt the disk entirely... then use your tool to reset the SAM file.

This. Or your password program has to be run from a WinPE disk that can engage BitLocker. You can change files on an encrypted disk if you can’t decrypt it.