I created rescue media (USB stick and DVD) with Macrium Reflect Home, but I can't boot from neither one of them, all attempts get redirected to normal boot. For example, from the blue-white 'Choose an operating system' screen > Change defaults or choose other options > Choose other options > Use a device > DVD > and after some whrr whrr whrr > the blue-white 'Choose an operating system' screen appears again.

Rescue Media Settings are as follows:
Windows RE 10 version 2004 (64-Bit)
Macrium Reflect Home (64-Bit) v8.0.6979
Status OK
WIM Settings are as follows:
Architecture x64
BitLocker Support Y
BitLocker Auto Unlock Y (I tried N too)
The rest of the WIM settings are all N

This is for my Windows 10 Pro computer, I use BitLocker with 'Require additional authentication at startup', i.e. I need to plug in a USB stick with the BitLocker key to startup the computer. I wonder if this BitLocker configuration covered by Macrium Reflect Home, and if so, how do I boot from the rescue media?

(I do plug in the USB stick with the BitLocker key when trying to boot from the rescue media)

Do not rely on the blue Windows Boot Manager screen to boot from a separate device. By the time you see that blue screen, you’ve already booted from your hard drive, which means that if your hard drive is ever wiped out or replaced with a currently blank drive after a failure of some kind, then you won’t have that blue screen at that point — and therefore if that’s the only method you know for booting from another device, you won’t be able to do that.

Almost every system has a key that can be pressed early in the boot process — at the same time that you can enter the BIOS Setup — that will invoke a one-time boot menu. This will present you with a system-level menu to choose to override the normal boot order and instead boot from somewhere else, like a flash drive or disc. This menu has no dependency on anything existing on your hard drive. Find out how to do that on your system.

You do NOT need your BitLocker USB key in this scenario. That only applies when actually booting into Windows. When booting to Rescue, if you chose to embed auto-unlock keys into your Rescue Media and it contains a valid key for that Windows partition, then it will be unlocked when Rescue starts. If either of those conditions is not met, then it will be locked and you can open Command Prompt from the taskbar and use the manage-bde command to unlock it using its 48-digit Recovery Key. Either way, the USB key serves no purpose in the Rescue Media scenario.

I can boot from the rescue media (USB stick and DVD) using the Fn key (F12 in my case) to change the boot sequence but I am shocked about BitLocker support and especially about BitLocker Auto Unlock with regard to security.

I have thrashed my rescue media, I will do any necessary restores from within Windows only and if things are so bad that I can't boot then I will rebuild the machine from bare metal.

(Lucky me, in all my decades of computing, I have never had a non-booting computer.)

I wonder if there is anybody else here who came to the same or similar conclusion.

I’m not sure what specific aspect of BitLocker and auto-unlock shocks you. If it’s auto-unlock, that is an optional capability, just like BitLocker within Windows offers an auto-unlock for volumes other than the Windows volume itself. I have a laptop that has a Data partition on its internal SSD and an external drive that is frequently connected. I have enabled auto-unlock within Windows on both of those partitions so that when those partitions are accessed by my specific laptop, they auto-unlock. With respect to Rescue Media, if you choose to build Rescue Media with auto-unlock enabled, then understand that your Rescue Media contains sensitive data and you should therefore treat it like any other physical item in your life that contains sensitive data and/or grants access to something important to you. If the idea of Rescue Media that contains auto-unlock files makes you uncomfortable, then disable that option in Rescue Media Builder and then unlock BitLocker partitions in the Rescue environment manually by using manage-bde and providing the necessary passwords/Recovery Keys, which is what I do. But there's no way for the Rescue Media environment to use unlock methods that involve the TPM, like the TPM+USB setup you're using.  Full Windows environments can do that, but that capability simply isn’t available from within the Windows PE/RE environment that Rescue Media builds on.

If you were shocked that your USB key isn’t needed in Rescue, then there may be some gaps in your understanding of how BitLocker works. Any volume that has BitLocker enabled can have multiple “protectors”. Think of protectors like multiple locks on a chain, but when you have multiple protectors, you only need to unlock ONE of them in order to release the chain (i.e. unlock the data),not ALL of them. By default, a Windows partition where BitLocker protection is enabled uses a TPM protector, and then there is a completely separate Recovery Key protector that is meant to be used if you ever need to access that volume from another system, or if your TPM gets cleared, or your motherboard gets replaced, etc. Otherwise, if you only had a TPM protector and something happened to that laptop/TPM, then your data would be locked with no way for you to access it. If you’re using a USB key, then you have configured BitLocker to replace the default TPM protector with a TPM+USB protector, which means that in order to unlock the volume with that protector, you need BOTH the TPM and that USB key. But you still have a completely separate Recovery Key protector that can be used to unlock the volume as well, and once again, that is useful to avoid getting permanently locked out of your data if something happens to your laptop/TPM. It is also possible to configure a USB-only protector on systems that don’t have TPMs or for volumes other than the Windows partition. In those cases, the USB key has a BEK file stored on it, and that file is similar to a Recovery Key in that it is capable of unlocking the volume on its own. That is called an “External Key” protector. If you ever want to see what protectors are set up on a given volume, run the command “manage-bde -protectors -get C:”, replacing C with whatever volume you want to see information about. If you see any External Key protectors, then those may have been created by Rescue Media Builder when it was building auto-unlock media. Or they may have been created by Windows if you enabled auto-unlock within Windows. (In that case, the BEK files corresponding to those protectors on the non-Windows volumes would be stored on the Windows volume, which is required to have BitLocker enabled before you can use auto-unlock for other volumes.)  If you no longer need some of those protectors on those volumes to be valid, then you can use manage-bde to delete whichever protectors you want to delete. But if all of the places that have the KEY to those protectors have already been destroyed, then they won’t serve a purpose anyhow.

I don’t really understand your decision to rebuild from bare metal if you can’t boot your system. You can still make image backups of your Windows partition and choose to enable Reflect’s image backup file encryption if you need the backups themselves to be protected. And you can disable the auto-unlock option in Rescue Media Builder in order to create Rescue Media that does NOT contain any auto-unlock keys. From there, you can boot your system from that Rescue Media, unlock any necessary partitions manually using manage-bde and appropriate passwords/Recovery Keys, and then restore backups if you ever need to do that.

Thanks @jphughan for posting things that I did not know about! I truly appreciate the additional knowledge that you provided <thumbs up emoji>

1) Nonetheless, I don't want to complicate BitLocker key management from securely managing the 2 sets of BitLocker keys (startup key and recovery key) to securely managing those sets plus an additional set (the Macrium rescue set)

2) What I meant by rebuilding the machine from bare metal is to begin with a clean install of Windows. If I can't even do that, then I'd have no confidence in the hardware/firmware and I'd simply buy a new machine (as I said earlier, that has never happened to me in decades)

In the trade-off, I'd rather incur 2) than 1)