How can I re-add public certificates to a BitLocker volume without the smartcard connected that contains the private certificates?

Question

How can I re-add public certificates to a BitLocker volume without the smartcard connected that contains the private certificates?

BitLocker is giving an error when trying to re-add public certificates to unlock the volumes without the physical smartcard containing the private certificate connected to the station. The smartcards are already fielded to the team, and it'd be inappropriate to recall anyone for something like this, even under normal non-COVID conditions...

0x80310074 "Group Policy settings requires that you use a smart card-based key protector with BitLocker Drive Encryption."

I went straight to gpedit.msc, no relevant settings...went through a substantial portion of regedit, nothing there...

This rabbit hole has led me to think that the setting can be configured using PowerShell... Maybe somehwere in WMI Provider and Win32_EncryptableVolume class? It seems this is the setting I'm trying to find: "FVE_E_POLICY_USER_CERT_MUST_BE_HW"

Anyone know how to fix this so that I can re-add the certs without the smartcards connected?

References:

https://docs.microsoft.com/en-us/windows/win32/secprov/win32-encryptablevolume

https://docs.microsoft.com/en-us/windows/win32/secprov/protectkeywithcertificatefile-win32-encryptablevolume

https://devblogs.microsoft.com/scripting/powershell-and-bitlocker-part-2/

powershell

encryption

scripting

smartcard

bitlocker

asked on Stack Overflow May 11, 2020 by

Mark

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0