Windows PE Rescue does not detect bitlocker drives


Author
Message
karos
karos
New Member
New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)
Group: Forum Members
Posts: 24, Visits: 65
Running:
Windows 10 21H1
Macrium Reflect 8.0.5945

I've created a pendrive bootable media with Rescue builder. I've chosen BitLocker support but not automatic (I don't want my decrypt keys on a simple pendrive).
The problem is, I reboot, and PE boots fine but is not able to unlock or detect any Bitlocker partitions. I select "Browse for a backup file..." --> "Select a backup file" --> It displays several units like "Local Disk (DSmile" but when I click on it nothing happens. Doesn't try to unlock the drive or ask for any password. It only displays size and filesystem for 2 small partitions created by Windows 10 installer.

If I chose to auto unlock bitlocker before creating the media then it works.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Windows PE/RE does not have a graphical interface to prompt for unlocking BitLocker drives as full Windows does. You need to use the manage-bde utility in Command Prompt, which you can open from the button on the taskbar.
Edited 31 May 2021 9:23 PM by jphughan
karos
karos
New Member
New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)
Group: Forum Members
Posts: 24, Visits: 65
Oh, didn't expect that. At least some warning or something should be present when creating the PE or when booting from it. Thank you very much for the insights.

Edited 1 June 2021 12:13 AM by karos
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Happy to help. This is mentioned in the Reflect documentation. Smile
Edited 1 June 2021 2:34 AM by jphughan
RandySea
RandySea
Talented Member
Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)
Group: Forum Members
Posts: 90, Visits: 217
What about drives Bitlocker-encrypted automatically by Windows 10 Pro but not activated? Do they create any problems?

This is something I just learned about by chance. At some point when I (and zillions of other users) installed or upgraded Win 10 and used my MS or Live account, Windows just went ahead and encrypted my C: and D: partitions. It gave no notice nor gave me any password or encryption key. I only found out when I tried to resize a partition and couldn't do it because of the Bitlocker encryption.

I got around this by decrypting my partitions using manage-bde from a command line. I have no idea whether this could have caused any problem with using a PE rescue.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
Yes, the fact that BitLocker ships “pre-staged” on some PCs has been a bit of a hazard. The way it works is that the BitLocker encryption is done beforehand and then BitLocker is kept in a suspended state, in which case it acts just like a regular partition. If you choose to link your Windows account to your Microsoft account, then the suspension is removed, activating “real” BitLocker — which happens instantaneously since all of the encryption work had already been done. And then your Recovery Key is backed up into your Microsoft account. At least that’s the theory. I’ve seen threads elsewhere from people who couldn’t find their Recovery Key in their Microsoft account or finally did, but had no idea they should even have looked there because as you say, this whole process is silent, which I think is a huge mistake. If I were designing that UI, there would be a step where a page said, “Listen up, this is important. We’re about to encrypt your Windows partition to keep your data safe. Under normal conditions, you’ll just use your PC as you always would. But in some situations you may be asked for a Recovery Key. We’re backing it up to your Microsoft account to keep it safe, which you can access at this link. And if you want, click here to display it on-screen if you want to save it somewhere else too.” But that’s not what happens.

And for the record, this can happen on Windows 10 Home, which normally doesn’t include BitLocker, but on newer systems it’s available under the “Device encryption” moniker, and it’s only available for the Windows partition, not additional partitions, flash drives, etc.

Anyway, if the BitLocker is still suspended on the partition, then to my knowledge it would behave like any other partition. You’d certainly be able to see the contents, at any rate. I’m not sure if it would affect whether Reflect would perform a BitLocker Live or BitLocker Removal restore in various circumstances.
RandySea
RandySea
Talented Member
Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)
Group: Forum Members
Posts: 90, Visits: 217
jphughan - 19 June 2021 5:09 AM

And for the record, this can happen on Windows 10 Home, which normally doesn’t include BitLocker, but on newer systems it’s available under the “Device encryption” moniker, and it’s only available for the Windows partition, not additional partitions, flash drives, etc.

That is a useful tip. In all my searching to understand the silent Bitlocker issue, it's always referred to as applying only to Windows 10 Pro. Now I know I better check my friends' newer machines with Windows 10 Home.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
On Windows 10 Home, go to Start > Settings > Update & Security > Device encryption. If you don’t see “Device encryption” in the sidebar, then it’s not available on that particular system. There are some hardware requirements that I don’t remember. But I can’t remember if that interface differentiates between “encryption pre-staged but suspended” or “encryption completely disabled”. But if you’re comfortable with manage-bde, that is available even on Win10 Home as well, and “manage-bde -status” will definitely differentiate between those states. It can also be used to enable encryption on Win10 Home even if you do NOT link your Windows account to a Microsoft account.
Edited 19 June 2021 5:21 AM by jphughan
RandySea
RandySea
Talented Member
Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)Talented Member (118 reputation)
Group: Forum Members
Posts: 90, Visits: 217
jphughan - 19 June 2021 5:20 AM
On Windows 10 Home, go to Start > Settings > Update & Security > Device encryption. If you don’t see “Device encryption” in the sidebar, then it’s not available on that particular system. There are some hardware requirements that I don’t remember. But I can’t remember if that interface differentiates between “encryption pre-staged but suspended” or “encryption completely disabled”. But if you’re comfortable with manage-bde, that is available even on Win10 Home as well, and “manage-bde -status” will definitely differentiate between those states. It can also be used to enable encryption on Win10 Home even if you do NOT link your Windows account to a Microsoft account.

On my main machine, my critical data files are encrypted with EFS with a mirrored copy in a Veracrypt file. Both are AES-256. I trust the security more than the default AES-128 bitlocker encryption, and I have no worries that at some point I won't be able to open a Bitlocker partition.

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 64K
EFS has far more horror stories than BitLocker.  If an admin resets another user's password, they can't access their own EFS files anymore, unless they created a data recovery certificate beforehand, still have it, and know how to use it -- and you can probably guess how any of those is the case.  BitLocker doesn't have that issue, and you just need to back up a simple Recovery Key that you can type when needed, without having to deal with certificates.  So I don't really see how you can worry about getting locked out of a BitLocker partition while still using EFS, where the chances of that happening are far greater.

BitLocker can be set up to use 256-bit encryption if you really think that's necessary, but 128-bit is still more than enough security unless maybe the NSA is out to get you with their supercomputers, and even then it would be a while.  And BitLocker of course protects everything on the partition rather than relying on you to remember to decide what's worth protecting.

I realize that you're replicating elsewhere, but having worked in IT for quite a while now, I am VASTLY more comfortable using BitLocker than I ever was with EFS.

Also, I'm pretty sure Reflect F&F backups can't back up EFS files, at least not when the backup is running as a scheduled backup under the SYSTEM account, since that account won't be able to read the EFS files encrypted under your user account.

Edited 19 June 2021 5:40 AM by jphughan
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search