Macrium Support Forum

How to add Bitlocker features to the rescue boot environment

By dyhs - 27 June 2017 9:08 PM

After having read this kb article
I still am not entirely clear.
I downloaded 

Windows ADK for Windows 10, version 1703
Should I just install WinPE or other tools too?
Besides, where do I get  the cab files containing the Enhanced Storage functionality and WMI Storage management components from?
By Nick - 27 June 2017 9:11 PM


That article is for Macrium Reflect v5 and is out of date. 

Please see here for v6 and v7:
By jphughan - 27 June 2017 10:01 PM

In addition to the new KB Nick posted, I personally wasn't comfortable with storing auto-unlock keys on Rescue Media for a variety of reasons, but I found that the "manage-bde" command is available in WinPE, so if you're comfortable working with Command Prompt, that gives you everything you need to manage BitLocker volumes inside Rescue Media without needing to store any keys for anything, though in that case you'll need to supply the 48-digit Recovery Key for any system volumes you wish to unlock within Rescue.  Manage-bde also allows you to manage BitLocker To Go volumes (using their normal password or Recovery Key) the auto-unlock keys for which the Rescue Media wizard might never have stored anyway even with that option checked.  Finally, it even helps you get the correct syntax for what you want to do because you can start with "manage-bde -?" to see the initial commands available, then enter "manage-bde [first command] -?" to see valid input after that first command, and so on.

@Nick, I suggested this in my own Wish List thread about Enhanced BitLocker functionality in Rescue, but the availability of the manage-bde command might be worth noting somewhere in that KB article as an alternative means of working with BitLocker volumes in their unlocked state for users who are comfortable with Command Prompt but aren't comfortable storing auto-unlock keys and/or might want to store backups on BitLocker To Go volumes.
By dyhs - 28 June 2017 1:14 AM

Thank you Nick. The v.6/7 feature is cool, much safer!

One more question: can MR deal in a similar way with Veracrypt encryption?

Good to know the manage-bde command works too. Thanks!
By jphughan - 28 June 2017 3:33 AM

Reflect doesn't have any native support for VeraCrypt, in fact even the BitLocker support comes courtesy of an official Microsoft package that the Rescue Media wizard simply adds to the WinPE build when that option is selected (plus auto-unlock keys if selected), as opposed to something Macrium built in-house. However, this video shows VeraCrypt running in some sort of environment based on WinPE 3.1 (Win7 kernel).  It looks like it's just VeraCrypt running in Portable Mode, as documented here.  If so, you could simply keep a VeraCrypt Portable folder on your Rescue Media flash drive and then run it either via Command Prompt or Reflect's File Explorer (assuming that supports launching EXEs, which I've never tried), and then you should be able to decrypt VeraCrypt volumes, at which point Reflect operations should work as normal.  If you test this, definitely report back since this might be useful to others. Smile

Note however that as far as I know, VeraCrypt does not support encrypting GPT disks that are used for UEFI booting.
By dyhs - 28 June 2017 10:02 AM


Thank you for the hints!

Reporting back!  
I tried with an external USB HDD (MBR, a VC encrypted non-system partition), booting from MR 6.3 rescue environment (PE10).

The good news.
VeraCrypt-x64.exe does run in WinPE.
MR Explorer does see the decrypted volume as presented by VC.
Therefore, a File and folder backup could be done (I haven't actually tried this last step).

The not-so-good news.
Even after a refresh, MR Imaging still sees an unformatted partition.

By Nick - 28 June 2017 10:13 AM

Click the 'Refresh' link in the backup tab to re-load the disks after decryption.

If you've already done this and still can't see the disk/volume then I'm afraid it isn't supported. Reflect is reading at disk level and this underneath the VeraCrypt driver. 

The only volume level encryption supported for imaging is BitLocker. There's specialisation in Reflect to detect BitLocker encryption when reading the disk and then read above the BitLocker driver at volume level.  Full Disk encryption is supported for VeraCrypt/TrueCrypt but, I believe Full Disk encryption is only available on system disks for these products.  
By dyhs - 28 June 2017 10:36 AM

Yes, I did click Refresh, but the VC encrypted partition is still seen as Unformatted. Same in Windows Disk Management, which sees it as Raw.
However, like I said, a File and folder backup seems possible, running VC as a portable app in WinPE.