Unable to remove TPM Keys

[dgonzalez2882]

Hello,

I am having an issue where I have a drive which shows as not encrypted in the plug in and on the computer, I try to remove the tpm key by clicking and selecting remove. When I check the terminal results it errors out and displays the following results:

Capture.JPG (59.56 KiB) Viewed 3210 times

[Cubert]

In the error you can see the commands that are being executed. You should attempt to recreate the issue by executing the first half of the commands and then validate what the returned variables are.

This is all done in powershell so open the PS ISE as administrator and enter the following

Code: Select all

$BLV = get-BitLockervolume -mountpoint c:

Now print out the needed variable for command #2

Code: Select all

write-host $BLV.keyprotector[0].keyprotectorid

This is what it should look like and what it should return if a Key protector is there

Screenshot 2022-12-28 093914.png (33.6 KiB) Viewed 3188 times

The value returned for me is {88E8A649-A86E-49DE-A9A0-33CDDFA1249A}

The final command then should look like this

Code: Select all

Remove-BitlockerKeyProtector -mountpoint c: -keyprotectorid {88E8A649-A86E-49DE-A9A0-33CDDFA1249A}

Keep in mind that this ID was from my protector and not yours so you will have a different ID from what I show above.


By running through the 2 commands you should find the issue that is causing the failure. It is pretty basic so if you want to drop the protector just rerun the 2 commands over again. Send us any outputs you receive from the above commands so we can see what your environment is trying to do.

[dgonzalez2882]

Tried it out this is what i got

Capture.JPG (25.77 KiB) Viewed 3173 times

[Cubert]

Is there a key still showing inside the plugin? If so this is a stale record and should be replaced upon next volume scan.

You have no keys currently set, So you look to have a completely unencrypted drive at the moment.
You have to add a key protector to the drive before it can encrypt.


And I guess that is why you are getting this error.

Screenshot 2023-01-06 114848.png (5.9 KiB) Viewed 3137 times

You have no encrypted volume using any protector keys.

[dgonzalez2882]

Is there a key still showing inside the plugin? If so this is a stale record and should be replaced upon next volume scan.

***Yes, how often is the scan? I posted about this issue a while ago so I would assume the volume scan already took place.

You have no keys currently set, So you look to have a completely unencrypted drive at the moment.
You have to add a key protector to the drive before it can encrypt.

***The drive is already unencrypted, for some reason the plugin in is not seeing it that way

And I guess that is why you are getting this error.
Screenshot 2023-01-06 114848.png
Screenshot 2023-01-06 114848.png (5.9 KiB) Viewed 61 times
You have no encrypted volume using any protector keys.

*** I followed the directions from this forum, Is there anything more detailed?

[Cubert]

There should be daily scans taking place. These scans are run via a scheduled script.

We need to see when the script is running and what it's current output is.

To manually run scans:
In client view select to run scans:

Screenshot 2023-01-10 094812.png (55.6 KiB) Viewed 3065 times

Next go to agent in question and view script logs for scan: (Should look something like this)

Screenshot 2023-01-10 094847.png (145.9 KiB) Viewed 3065 times

As you read the log it should be running several SQL queries to add and remove records.

Can you send me these logs(post them here) so I can see what its doing.

[dgonzalez2882]

Here is the log info

The Script(616) was successful in the Then section.

Script: S616 - Starting at Server Time: Tuesday, January 10, 2023 7:14:07 PM
IF F1 T: 1.0538637
L4 F235 T: 1.0814415
L5 F70 Value (P1): VOLUMEDATA Comparer (P2): 8 To (P3): ('289','6283' Jump (P4): :INSERTVOLUMES T: 9.1172481
L8 F139 Note (P1): :INSERTVOLUMES T: 9.1172481
L9 F67 Sql (P1): 'INSERT IGNORE INTO plugin_p4a_bitlocker_volumes (`ClientID`,`ComputerID`,`VolumeType`,`Mou...' T: 9.1172481
L10 F235 T: 12.6247572
L11 F67 Sql (P1): 'DELETE FROM plugin_p4a_bitlocker_volumes WHERE ComputerID = '6283' and MountPoint NOT IN (...' T: 20.6632545
L12 F235 T: 20.6632545
L13 F67 Sql (P1): 'INSERT IGNORE INTO plugin_p4a_bitlocker_protectors (`ComputerID`,`ProtectorType`,`MountPoi...' T: 31.9232169
L14 F235 T: 31.9232169
L15 F67 Sql (P1): 'DELETE FROM plugin_p4a_bitlocker_protectors WHERE KeyProtectorID NOT IN )
and ComputerI...' T: 39.8027453

[Cubert]

Ok I see the issue,

Give me 20 minutes to make an update to the script. I'll post the updates here with link when available.


P.s,

There is a malformed delete query when no Key ID's are present. A simple value test in script should correct the issue your seeing.

[Cubert]

Ok I have now posted up build 1.0.0.14 that should resolve this issue.


After updating the plugin, restarting the DBagent, you should find the /maintenance/Bitlocker Automation script now at build 1.0.0.14.

If so then the upgrade was successful and you can now rescan agents or allow automation to do it. Automation is once a day so it may take several hours if not overnight for it to update itself.


Here is download link

https://delivery.shopifyapps.com/-/c148 ... a9a48ea2ae