• In this guide, I’ll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you’ll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore.

  • Tony, Jakob, it seems you think that the article is suggesting a complicated method to an easy problem that can be solved by disjoining and re-joining. No, the article shows you the quickest way to get going again for each situation. And when you could do without a reboot, you would prefer that, wouldn’t you? So disjoining and joining again takes more time and should not be preferred.

  • If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network.

  • The purpose of this article is to raise awareness of the possibility of sending mail anonymously through Microsoft Exchange Servers and to show mitigations for the resulting risks. After setting up Exchange Server 2019, you might be unaware that it’s possible to send mail anonymously to internal recipients by default. This means that, using PowerShell, for example, anyone in your LAN may send messages to internal accounts without revealing their identity.

  • Welf Alberts's profile was updated 1 month, 1 week ago

  • Self-solved, and the solution is rather cute: the above script brings up a dialogue window in which you may enter the PIN using your keyboard. If you leave it blank and JUST PRESS ENTER, the PIN-Pad activates on its own. Found accidentally 🙂

  • Hi.

    Imagine you are using a SmartCard to logon to windows, a SmartCard with different Credentials on it.

    When you want to run something as different user, you press shift while right-clicking the executable to select “run as different user”, enter you SmartCard PIN and that’s it.

    I would like to script that process to have a 1-click experience. The script should ask for the SmartCard-PIN and start my executable. I already have a script and it works as long as I use a Yubikey-like device, that is, a SmardCardreader that utilizes the laptop keyboard. However, I prefer to use an external SmartCard reader that has its own Pin-Pad, but with that thing, the script does not work.

    Expected behavior: the Pin Pad activates and asks for the PIN. Observed behavior: the PIN needs to be entered using the keyboard.

    Question: who of you PowerShell heroes understands what needs to be changed here to make this work:

    Function Get-SmartCardCred{
    $SmartCardCode = @”
    // Copyright (c) Microsoft Corporation. All rights reserved.
    // Licensed under the MIT License.
    using System;
    using System.Management.Automation;
    using System.Runtime.InteropServices;
    using System.Security;
    using System.Security.Cryptography.X509Certificates;
    namespace SmartCardLogon{
    static class NativeMethods
    public enum CRED_MARSHAL_TYPE
    CertCredential = 1,
    internal struct CERT_CREDENTIAL_INFO
    public uint cbSize;
    [MarshalAs(UnmanagedType.ByValArray, SizeConst = 20)]
    public byte[] rgbHashOfCert;
    [DllImport(“advapi32.dll”, CharSet = CharSet.Unicode, SetLastError = true)]
    public static extern bool CredMarshalCredential(
    IntPtr Credential,
    out IntPtr MarshaledCredential
    [DllImport(“advapi32.dll”, SetLastError = true)]
    public static extern bool CredFree([In] IntPtr buffer);
    public class Certificate
    public static PSCredential MarshalFlow(string thumbprint, SecureString pin)
    // Set up the data struct
    NativeMethods.CERT_CREDENTIAL_INFO certInfo = new NativeMethods.CERT_CREDENTIAL_INFO();
    certInfo.cbSize = (uint)Marshal.SizeOf(typeof(NativeMethods.CERT_CREDENTIAL_INFO));
    // Locate the certificate in the certificate store
    X509Certificate2 certCredential = new X509Certificate2();
    X509Store userMyStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    X509Certificate2Collection certsReturned = userMyStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
    if (certsReturned.Count == 0)
    throw new Exception(“Unable to find the specified certificate.”);
    // Marshal the certificate
    certCredential = certsReturned[0];
    certInfo.rgbHashOfCert = certCredential.GetCertHash();
    int size = Marshal.SizeOf(certInfo);
    IntPtr pCertInfo = Marshal.AllocHGlobal(size);
    Marshal.StructureToPtr(certInfo, pCertInfo, false);
    IntPtr marshaledCredential = IntPtr.Zero;
    bool result = NativeMethods.CredMarshalCredential(NativeMethods.CRED_MARSHAL_TYPE.CertCredential, pCertInfo, out marshaledCredential);
    string certBlobForUsername = null;
    PSCredential psCreds = null;
    if (result)
    certBlobForUsername = Marshal.PtrToStringUni(marshaledCredential);
    psCreds = new PSCredential(certBlobForUsername, pin);
    if (marshaledCredential != IntPtr.Zero)
    return psCreds;
    Add-Type -TypeDefinition $SmartCardCode -Language CSharp
    Add-Type -AssemblyName System.Security
    $ValidCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem ‘Cert:CurrentUserMy’)
    $Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection($ValidCerts, ‘Choose a certificate’, ‘Choose a certificate’, 0)
    $Pin = Read-Host “Enter your PIN: ” -AsSecureString
    Write-Output ([SmartCardLogon.Certificate]::MarshalFlow($Cert.Thumbprint, $Pin))
    $StartInfo = New-Object System.Diagnostics.ProcessStartInfo
    $StartInfo.FileName = ‘cmd.exe’
    $StartInfo.UseShellExecute = $false
    $StartInfo.UserName = $Cred.Username
    $StartInfo.Password = $Cred.Password
    $StartInfo.WorkingDirectory = $env:windir
    $Process = New-Object System.Diagnostics.Process
    $Process.StartInfo = $StartInfo
    $Cred = $null

    How do code tags work here?

  • We use this since 2006 – never had a problem restoring such a backup no matter how it was created.

    For DR, he would not need to use sector based backups nor disable or even suspend Bitlocker – that was his main fear, he confused suspending Bitlocker for disabling (decrypting) the drive, by the way, but even this (suspending) is not needed.

  • That said, it’s also possible from WinPE to mount a bitlocked drive using a bek file for example

    (manage-bde -unlock c: -rk e:some.bek) and do drive snapshot afterwards, if you prefer to get an unencrypted image.

  • Drive snapshot is a command line tool which (as x64 version) may run from any WinPE or Windows setup based WinPE.

    If it does not recognize the file system, it simply copies all sectors. That does not make a difference for the result.

  • Drive Snapshot – Disk Image Backup for Windows NT/2000/XP/2003/X64

    I understand what the question was, don’t worry. We are doing DR backups of bitlocked drives for as long as Vista is out.

  • With drive snapshot, this is a standard procedure, supported and documented.

    Clonezilla of course doesn’t care at all for whatever encryption, it just clones, so all just works again on the new drive.

  • I’ll share my 1st hand experience:

    When you use the famous drive snapshot for DR image backups while windows is running (and the bitlocked drives are of course unlocked), it will create snapshot files (.sna) that you may mount afterwards to retrieve single files or folders if you like. You may also restore these full disk images any time and guess what, the system will be bootable and bitlocked with the same keys.

    When you use another famous (and free) tool, clonezilla, you boot it and again, you don’t need to suspend bitlocker. Clonezilla will clone sector for sector to either a new disk or to an image which you may restore to the same disk. The cloned disk will be encrypted and works with the same keys.

  • About the final sentence “The interactive configuration on unmanaged devices can easily be abused by attackers as soon as they gain administrative rights. In this form, this feature offers little protection” – as indicated, this implies the hacker has to be logged on interactively (console or RDP) and not only limited to connect through for example remote PowerShell. So for those hackers using remote shell or similar tools, even without cloud-based management, this is a serious hurdle when turned on.

  • I have to correct myself: It does not occur if you use mstsc /remoteguard, but only when you set the policy to require remote credential guard at the client.

  • Hi Wolfgang.

    I am using remote credential guard, but there’s a technical detail I don’t understand at all: imagine you have a domain user that may not logon anywhere, say, he may only logon to PC1 and PC2. But using mstsc /remoteguard, he may successfully connect from PC1 to PC3 (given that the registry key DisableRestrictedAdmin is set to 0 at PC3, else it does not work).

    Why is that? Where’s the logic?

  • Setting up a remote-controlled browser system (ReCoBS) is one way to create a safe browsing environment for your end users using a Windows Server with a seamless RemoteApp browser window.

  • Welf Alberts's profile was updated 1 month, 4 weeks ago

  • Welf Alberts's profile was updated 2 months ago

  • Load More
© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account