KnowledgeBase

Versions Compared

Old Version 11

changes.mady.by.user Macrium Software

Saved on

compared with

New Version Current

changes.mady.by.user Macrium Software

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 7


Macrium Reflect can include the components necessary to unlock Microsoft BitLocker drives in Windows PE.

Info

...

Saving the recovery key

Expand

Note: It isn't absolutely necessary to unlock

BitLiocker

a BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without

a problem and will be automatically

problems but will require re-

encrytped

encrypting on reboot

, however, unlocking

.

Unlocking the drive in Windows PE enables intelligent sector copy imaging and cloning, RapidDelta Restore (RDR) and also free access to the drives contents using PE Explorer.

To use BitLocker in Windows PE you must select 'Optional Components' when building build your Windows PE rescue media .
Please see Creating rescue media for more information. 

Enabling export of the BitLocker recovery key

...

The .BEK recovery key file needs to be exported and saved to a USB driveIn addition, restoring to an unlocked drive will retain the encryption status of the drive when rebooting.

Automatically unlocking BitLocker encrypted drives

Macrium Reflect can include the components and decryption keys necessary to automatically unlock Microsoft BitLocker encrypted drives in Windows PE.

In the Rescue Media Wizard select 'Include optional components' and 'Automatically unlock BitLocker encrypted drives'.

Image Added

When Windows PE starts any BitLocker locked drives that were attached when the recovery media was created it will automatically unlocked them.

...

Unlocking BitLocker encrypted drives using a USB stick

Automatically unlocking encrypted drives when PE starts may present an unacceptable security risk for some users. Automatic unlocking requires no user intervention and the Macrium Reflect boot menu is able to access encrypted drives without password entry. An alternative method is to de-select the 'Automatically unlock BitLocker encrypted drives' option in the rescue media Wizard:

 Image Added

You can then save BitLocker Encryption Key files (.BEK) and/or BitLocker password TXT files to the root of any USB stick.  This could also be a Windows PE rescue media USB stick.

  1. In Windows Explorer, right click

...

  1. on any BitLocker encrypted drive and click on ‘Manage BitLocker’
    Image Modified
  2.  In the newly opened window click ‘Back up your recovery key’
    Image Modified
  3.  In the BitLocker Drive Encryption wizard select ‘Save to a USB flash drive’ and chose the USB device you want to save to. 
    Image Modified
    Image Modified

    After choosing the USB device you want to save the Recovery Key file to, click ‘Save’ and then ‘Finish’ in the BitLocker Drive encryption wizard. This action will save a .BEK file

...

  1. and/or a recovery password text file to the chosen USB device.

    Info
    Note: The .BEK file is a protected operating system

...

  1. file, it is hidden by default and won't be visible within Windows Explorer. it can be made visible by changing Folder Options and

...

  1. de-selecting the option to ‘Hide Protected operating system files’.

 

...

Unlocking the drive in Windows PE

...

The encrypted drive can now be unlocked in Windows PE


...

Image Removed
Image Removed

Info
The drive without a visible File system or Size will be the BitLocker encrypted drive. In this case the drive is E:

 

...

In the command line enter “manage-bde -unlock E: - RecoveryKey D:\” then press the ‘Tab’ key until you see a key that resembles the following combination: “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX” and ends with “.BEK” to auto-complete the line after the drive letter.

Code Block
themeFadeToGrey
languagetext
manage-bde -unlock E: - RecoveryKey D:\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX.BEK
Info
Note: Your recovery key may be located on a different drive to D:. and your BitLockered drive maybe different to E:. Please ensure that you use the correct drive letters.

After entering the command press ‘Enter’ to unlock the BitLocker Encrypted drive:
Image Removed

...

After refreshing the drives in Macrium Reflect you will now be able to see a drive letter and a status on the drive that was locked.
Image Removed

 

...

  1. You can add as many keys as you have encrypted drives. 


When Windows PE starts ensure that your USB flash drive is attached to your PC. Your encrypted drives will then be automatically unlocked when Macrium Reflect initializes.