Adding BitLocker support to Windows PE

To enable BitLocker Encrypted systems to export a .BEK recovery key it's necessary to ensure that some settings are enabled in the Windows Group Policy Editor

1. Navigate to ‘Start’ and type in 'gpedit.msc'. In the editor navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
   Ensure that 'Require additional Authentication at startup' is enabled 
   
   
2. Select 'Choose how BitLocker protected operating system drives can be recovered'.
   
   
   Set the settings as shown below to enable creation of a .BEK recovery key.
   

The .BEK recovery key file needs to be exported and saved to a USB drive

1. In Windows Explorer, right click the BitLocker encrypted drive and click on ‘Manage BitLocker’
   
2.  In the newly opened window click ‘Back up your recovery key’
   
3.  In the BitLocker Drive Encryption wizard select ‘Save to a USB flash drive’ and chose the USB device you want to save to. 
   
   
   

   After choosing the USB device you want to save the Recovery Key file to, click ‘Save’ and then ‘Finish’ in the BitLocker Drive encryption wizard. This action will save a .BEK file on to the chosen USB device.
   
   

   Note: The .BEK file is a protected operating system file, it is hidden by default and won't be visible within Windows Explorer. it can be made visible by changing Folder Options and se-selecting the option to ‘Hide Protected operating system files’.

    

4. If you haven't done so already, create your Windows PE recovery media and ensure that your Windows PE rescue media has been created with the 'Include optional components' option selected.
   

The encrypted drive can now be unlocked in Windows PE

1. Boot into Windows PE. Click the Backup tab. The encrypted drive will be visible and its status will be ‘BitLocker Locked’. It will not have a drive letter.
   
2.  A drive letter will be needed to unlock the encrypted drive.   
   Open ‘Window PE Explorer’, Click on the computer icon in the bottom left hand corner of your screen. A new window will appear presenting all the Drives available to Windows PE.  

   
   

   The drive without a visible File system or Size will be the BitLocker encrypted drive. In this case the drive is E:

    

3. Start a command prompt.
   
   
   

   The command line can be accessed by clicking the black icon on the bottom left corner of your screen.
   
   

4. In the command line enter “manage-bde -unlock E: - RecoveryKey D:\” then press the ‘Tab’ key until you see a key that resembles the following combination: “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX” and ends with “.BEK” to auto-complete the line after the drive letter.

   manage-bde -unlock E: - RecoveryKey D:\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX.BEK

   Note: Your recovery key may be located on a different drive to D:. and your BitLockered drive maybe different to E:. Please ensure that you use the correct drive letters.

   After entering the command press ‘Enter’ to unlock the BitLocker Encrypted drive:
   

5. To make the drive accesible in Macrium Reflect, select the 'Backup' tab in Reflect and click Refresh.
   

6. After refreshing the drives in Macrium Reflect you will now be able to see a drive letter and a status on the drive that was locked.