Techie Tuesday: Adding BitLocker support to Windows PE
Note: It isn’t absolutely necessary to unlock a BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without a problem and will be automatically re-encrypted on reboot, however, unlocking the drive in Windows PE enables intelligent sector copy imaging and cloning, RapidDelta Restore (RDR) and also free access to the drives contents using PE Explorer.
Automatically unlocking BitLocker encrypted drives
Macrium Reflect can include the components and decryption keys necessary automatically to unlock Microsoft BitLocker encrypted drives in Windows PE.
In the Rescue Media Wizard select ‘Include optional components’ and ‘Automatically unlock BitLocker encrypted drives’
When Windows PE starts any BitLocker unlocked drives that are were attached when the recovery media was created will be automatically unlocked in PE.
Unlocking BitLocker encrypted drives using a USB stick
Automatically unlocking encrypted drives when PE starts may present an unacceptable security risk for some users. Automatic unlocking requires no user intervention and the Macrium Reflect boot menu is able to access encrypted drives without password entry. An alternative method is to de-select the ‘Automatically unlock BitLocker encrypted drives’ option in the rescue media Wizard:
You can then save BitLocker Encryption Key files (.BEK) and/or BitLocker password TXT files to the root of any USB stick. This could also be a Windows PE rescue media USB stick.
- In Windows Explorer, right click on any BitLocker encrypted drive and click on ‘Manage BitLocker’.
- In the newly opened window click ‘Back up your recovery key’
- In the BitLocker Drive Encryption wizard select ‘Save to a USB flash drive’ and chose the USB device you want to save to.
- After choosing the USB device you want to save the Recovery Key file to, click ‘Save’ and then ‘Finish’ in the BitLocker Drive encryption wizard. This action will save a .BEK file and/or a recovery password text file to the chosen USB device.
Note: The .BEK file is a protected operating system file, it is hidden by default and won’t be visible within Windows Explorer. it can be made visible by changing Folder Options and de-selecting the option to ‘Hide Protected operating system files’.You can add as many keys as you have encrypted drives.
When Windows PE starts ensure that your USB flash drive is attached to your PC. Your encrypted drives will then be automatically unlocked when Macrium Reflect initializes.
Note: PE 10 1607 is only relevant when using BitLocker XTS or iSCSI, otherwise it’s a wasted download. So, if you are already using PE 10 then Reflect checks for XTS BitLocker encrypted partitions and only downloads 1607 if you are.
You can force a rebuild using PE 10 1607 by setting the following registry entry and rebuilding your rescue media.