Macrium Support Forum

Rescue environment: Enhanced BitLocker functionality

By jphughan - 16 November 2016 3:58 AM

I would like to request two enhancements to the BitLocker capabilities of the Rescue environment:

1. Allow target volumes protected by BitLocker to be unlocked by entering a Recovery Key into a GUI prompt rather than only by allowing the Rescue media to auto-unlock them (creating a potential security risk) or by requiring a USB "unlock" flash drive that would need to be available during restore and stored securely in the interim. Since I document my Recovery Keys (as I suspect others do as well), it would be handy if that were all that were required to unlock a target disk, especially since documents are much less prone to hardware failure than USB flash drives. Smile

2. Add support for unlocking BitLocker To Go disks in the Rescue environment. My initial implementation strategy had been to use BitLocker To Go to encrypt the backup TARGETS. I'm aware that Reflect includes its own encryption support, but using BitLocker To Go would have allowed me to store other data on these disks as well without having to give up some flexibility by partitioning the target disk. For example, Reflect does not support capturing System State backups, which can sometimes be handy to restore without performing a full OS image restore, especially on AD domain controllers. Windows Server Backup can create a System State backup, but it does not natively support encrypting its backups, hence my original plan to use BitLocker To Go to protect both those backups and the Reflect backups.
By Stephen - 16 November 2016 11:24 AM


Thanks for positing.

I have updated the feature request for the above that you submitted via ticket awhile ago. The development team will evaluate the request.  
By jphughan - 6 April 2017 2:19 AM

Just updating this in light of a discovery I just made.  It seems at some point, manage-bde became available in default WinPE images.  A while back, it threw an error message caused by some packages not being included in the default WIM file, the fix for which was some manual work to generate a custom Boot.wim, but I've just tested Win10 1607, Win8.1, and even a "Win7 with June 2016 Convenience Update" official ISO, and the all of their WinPE environments now have a fully functional manage-bde command.  It also works with my Reflect Rescue Media created with the latest release of V6 based on Win10 1607. This isn't QUITE as convenient as having a full GUI interface for unlocking disks would be, but it's all I need since I'm quite comfortable with CLIs and I can now unlock BitLocker disks using either a Recovery Key or (in the case of BitLocker To Go disks where my backups might be stored) a password, rather than having to grab BEK files and store them on a flash drive beforehand.

Macrium, even if you don't end up implementing a GUI for unlocking BitLocker disks using Recovery Keys or passwords, the availability of manage-bde might be helpful to note in the KB article you already have for supporting BitLocker in the Rescue environment. The icing on the cake is that manage-bde actually has very comprehensive help documentation if you add "-?" to the end of a command that you're still working on in order to determine the syntax of whatever needs to come next.