Macrium Reflect can include the components necessary to unlock Microsoft BitLocker drives in Windows PE.
Info |
---|
...
Saving the recovery key
Expand |
---|
Note: It isn't absolutely necessary to unlock BitLiockera BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without a problem and will be automaticallyproblems but will require re- encrytpedencrypting on reboot , however, unlocking. |
To use BitLocker in Windows PE you must select 'Optional Components' when building build your Windows PE rescue media .
Please see Creating rescue media for more information.
Enabling export of the BitLocker recovery key
...
The .BEK recovery key file needs to be exported and saved to a USB driveIn addition, restoring to an unlocked drive will retain the encryption status of the drive when rebooting. |
Automatically unlocking BitLocker encrypted drives
Macrium Reflect can include the components and decryption keys necessary to automatically unlock Microsoft BitLocker encrypted drives in Windows PE.
In the Rescue Media Wizard select 'Include optional components' and 'Automatically unlock BitLocker encrypted drives'.
When Windows PE starts any BitLocker locked drives that were attached when the recovery media was created it will automatically unlocked them.
...
Unlocking BitLocker encrypted drives using a USB stick
Automatically unlocking encrypted drives when PE starts may present an unacceptable security risk for some users. Automatic unlocking requires no user intervention and the Macrium Reflect boot menu is able to access encrypted drives without password entry. An alternative method is to de-select the 'Automatically unlock BitLocker encrypted drives' option in the rescue media Wizard:
You can then save BitLocker Encryption Key files (.BEK) and/or BitLocker password TXT files to the root of any USB stick. This could also be a Windows PE rescue media USB stick.
- In Windows Explorer, right click
...
- on any BitLocker encrypted drive and click on ‘Manage BitLocker’.
- In the newly opened window click ‘Back up your recovery key’
- In the BitLocker Drive Encryption wizard select ‘Save to a USB flash drive’ and chose the USB device you want to save to.
After choosing the USB device you want to save the Recovery Key file to, click ‘Save’ and then ‘Finish’ in the BitLocker Drive encryption wizard. This action will save a .BEK file
...
and/or a recovery password text file to the chosen USB device.
Info Note: The .BEK file is a protected operating system
...
file, it is hidden by default and won't be visible within Windows Explorer. it can be made visible by changing Folder Options and
...
de-selecting the option to ‘Hide Protected operating system files’.
...
Unlocking the drive in Windows PE
...
The encrypted drive can now be unlocked in Windows PE
...
Info |
---|
The drive without a visible File system or Size will be the BitLocker encrypted drive. In this case the drive is E: |
...
In the command line enter “manage-bde -unlock E: - RecoveryKey D:\” then press the ‘Tab’ key until you see a key that resembles the following combination: “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX” and ends with “.BEK” to auto-complete the line after the drive letter.
Code Block | ||||
---|---|---|---|---|
| ||||
manage-bde -unlock E: - RecoveryKey D:\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX.BEK |
Info |
---|
Note: Your recovery key may be located on a different drive to D:. and your BitLockered drive maybe different to E:. Please ensure that you use the correct drive letters. |
After entering the command press ‘Enter’ to unlock the BitLocker Encrypted drive:
...
After refreshing the drives in Macrium Reflect you will now be able to see a drive letter and a status on the drive that was locked.
...
You can add as many keys as you have encrypted drives.
When Windows PE starts ensure that your USB flash drive is attached to your PC. Your encrypted drives will then be automatically unlocked when Macrium Reflect initializes.