Macrium Reflect can be used to image, restore and restore clone volumes encrypted with Microsoft BitLocker encryption. Unlocked BitLocker encrypted volumes are presented to the OS in the ‘clear’, that is, they appear like any other file system. When creating a disk image that includes an unlocked BitLocker volume, the image will contain the file system in an unencrypted state. This has the advantage that intelligent incremental images are possible and also reduces the image size considerably. Unused clusters aren’t backed up and the unencrypted data will more readily compress.
Info |
---|
Because BitLocker file systems are unecrypted in Macrium Images you may want to consider using the built-in AES encryption provided with Macrium Reflect for your image files.. |
When restoring to a volume protected by BitLocker, there are two three possible outcomes, BitLocker removal restore and BitLocker live restore.
BitLocker removal restore
The entire file system is written to disk. This will happen if the target is BitLocker ‘locked’, the target has no partition or the partition being replaced is different size to the source. In this case BitLocker :
Icon | Description |
---|---|
1. BitLocker Live restore/clone. BitLocker state is preserved for the restored/cloned partition and the volume is unlocked. | |
2. BitLocker Encrypted restore/clone | |
No Icon | 3. BitLocker Removal restore/clone The file system is restored/cloned in the clear and BitLocker must be manually re-enabled on the restored |
...
After restoring. BitLocker must be re-enabled.
...
Info |
---|
Note: After re-encrypting you will also need to re-create your rescue media to ensure that auto-unlock continues to work. Adding BitLocker support to Windows PE |
BitLocker Live Restore
...
/cloned volume to maintain encryption protection. |
Info | ||
---|---|---|
| ||
For images created after Macrium Reflect v7.1.2722 the restore outcome is indicated in the Restore Wizard with an Icon shown on the target disk after copying partitions or using Drag and Drop |
...
BitLocker Live Restore/Clone
Outcome: A Rapid Delta Restore/Clone of the source file system on top of the existing unlocked BitLocker volume. This
A live restore/clone will happen if the target file system is BitLocker unlocked, is the same volume as the source volume in the image and is the same size. In this case case the BitLocker encryption state of the file system is preserved after restoring/cloning. When restoring a system partition the system will boot normally using the TPM protector key or password to decrypt the system volume.
The Restore/Clone Wizard will show the 'Unlocked Padlock' icon for both the source and target partition indicating a Live Restore/Clone.
Info |
---|
Note: If the image was created with v7.1.2722 or earlier the source partition will not show a BitLocker icon. |
.
In the example below an image of Unlocked Drive C is being restored to the original unlocked drive
During a 'Live Restore', the Partition Type will be shown as 'BitLocker Unlocked' along with 'Live Restore' in the restore dialog
After restoring/cloning, Windows Explorer will show the drive 'C' with the open padlock icon
Info |
---|
To restore to an unlocked BitLocker system drive your Windows PE rescue media must contain BitLocker components, and for auto restore, must be set to 'Auto unlock BitLocker drives'. For more information see: Adding BitLocker support to Windows PE |
Info |
---|
Please also see this restore error that can occur when using 'Drag and Drop' to restore to a BitLockered volume |
Examples
Real world examples of the two different restore outcomes can be shown using image restores to flip between the '1607 - Anniversary update' of Windows 10 and the '1703 - Creators update' on a TPM BitLockered system.
...
...
1703 - Creators update:
The same outcomes apply when restoring between any version of Windows where drive 'C;' has changed size. This includes Windows 1709 - Fall Creators Update and later
1. BitLocker Live Restore. Restoring an image of Windows 1607 - Anniversary update.
In this scenario we are simply restoring a Windows system back to the same partition layout as when the image was created. The Macrium Windows PE boot menu has previously been activated.
Multimedia | ||
---|---|---|
|
2. BitLocker Removal Restore. Restoring an image of Windows 1703 - Creators update to 1607 - Anniversary update
In this scenario we are restoring a Windows1607 Anniversary Update system to Windows 1703 - Creators Update .This will re-layout the system drive to add the additional 490 MB partition and shrink 'C:' by 490 MB. BitLocker on the C drive to be removed so it will be necessary to re-enable BitLocker after restore. The Macrium Windows PE boot menu has previously been activated.
Multimedia | ||
---|---|---|
|
3. BitLocker Removal Restore. Restoring an image of Windows 1607 - Anniversary update to 1703 - Creators update
In this scenario we are restoring a Windows 1703 - Creators Update system back to 1607 Anniversary Update. This will re-layout the system drive to remove the additional 490 MB partition and extend 'C:' by 490 MB. BitLocker on the C drive to be removed so it will be necessary to re-enable BitLocker after restore. The Macrium Windows PE boot menu has previously been activated.
Multimedia | ||
---|---|---|
|
BitLocker Encrypted Restore/Clone
Outcome: The restored or cloned file system will be in a BitLocker encrypted state and can be unlocked after restoring or cloning.
Info | ||
---|---|---|
| ||
An image of a locked BitLocker encrypted volume will be approximately the same size as the entire imaged file system. The file system cannot be read so unused space cannot be omitted and encrypted data does not readily compress. |
An image or clone of a locked BitLocker encrypted volume can be restored or cloned to *any available position on the target disk.
*the following exceptions apply to the restored location.
- The source encrypted volume cannot be restored or cloned to a 'legacy' logical drive in an Extended partition unless the source was also a logical drive.
- The source encrypted volume cannot be restored or cloned to a Windows Dynamic volume. Dynamic volumes do not support BitLocker encryption.
In the example below an image of a BitLocker locked partition (E:) is being restored to a different location on disk.
This partition could be restored to *any position and would still retain its BitLocker locked stated after restoring.
The text 'Encrypted Restore' will be shown in the restore/clone dialog
After restoring/cloning the drive can be unlocked by right clicking in Windows Explorer
...
BitLocker Removal Restore/Clone
Outcome: The entire file system is restored in the clear and BitLocker must be manually re-enabled on the restored/cloned file system..
BitLocker encryption used to encrypt the source file system will be removed if the target file system did not originate from the same format command, is a different size or is not BitLocker unlocked
In the example below a BitLocker Unlocked system disk is being restored to an empty disk:
The restore/clone outcome is shown with no BitLocker icon on the restored partition when 'Copy selected partitions' is clicked.
The restore/clone dialog will display a warning message to indicate a BitLocker Removal restore when the 'Next' button is clicked:
Info |
---|
Note: Images created using Macrium Reflect v7.1.2722 or earlier will not show this warning message or the source BitLocker icon. In this case it isn't possible for Macrium Reflect to detect that the original volume was BitLocker encrypted. |
The text 'Removal Restore' will be shown in the restore dialog
After restoring. BitLocker must be re-enabled.
Follow the wizard prompts to re-encrypt the drive.
Warning | ||
---|---|---|
| ||
Note: After re-encrypting you will also need to re-create your rescue media to ensure that auto-unlock continues to function. Adding BitLocker support to Windows PE |
...