How to add Bitlocker features to the rescue boot environment


Author
Message
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
After having read this kb article http://kb.macrium.com/KnowledgebaseArticle50140.aspx
I still am not entirely clear.
I downloaded 

Windows ADK for Windows 10, version 1703

 https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
Should I just install WinPE or other tools too?
Besides, where do I get  the cab files containing the Enhanced Storage functionality and WMI Storage management components from?
Thanks.
Nick
Nick
Macrium Representative
Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)
Group: Administrators
Posts: 1.6K, Visits: 8.8K
Hi 

That article is for Macrium Reflect v5 and is out of date. 

Please see here for v6 and v7: http://knowledgebase.macrium.com/display/KNOW7/Adding+BitLocker+support+to+Windows+PE

Kind Regards

Nick - Macrium Support

Edited 27 June 2017 9:15 PM by Nick
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)
Group: Forum Members
Posts: 3.6K, Visits: 27K
In addition to the new KB Nick posted, I personally wasn't comfortable with storing auto-unlock keys on Rescue Media for a variety of reasons, but I found that the "manage-bde" command is available in WinPE, so if you're comfortable working with Command Prompt, that gives you everything you need to manage BitLocker volumes inside Rescue Media without needing to store any keys for anything, though in that case you'll need to supply the 48-digit Recovery Key for any system volumes you wish to unlock within Rescue.  Manage-bde also allows you to manage BitLocker To Go volumes (using their normal password or Recovery Key) the auto-unlock keys for which the Rescue Media wizard might never have stored anyway even with that option checked.  Finally, it even helps you get the correct syntax for what you want to do because you can start with "manage-bde -?" to see the initial commands available, then enter "manage-bde [first command] -?" to see valid input after that first command, and so on.

@Nick, I suggested this in my own Wish List thread about Enhanced BitLocker functionality in Rescue, but the availability of the manage-bde command might be worth noting somewhere in that KB article as an alternative means of working with BitLocker volumes in their unlocked state for users who are comfortable with Command Prompt but aren't comfortable storing auto-unlock keys and/or might want to store backups on BitLocker To Go volumes.

Edited 27 June 2017 10:19 PM by jphughan
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
Thank you Nick. The v.6/7 feature is cool, much safer!

One more question: can MR deal in a similar way with Veracrypt encryption?

@jphughan
Good to know the manage-bde command works too. Thanks!
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)Macrium Evangelist (5.3K reputation)
Group: Forum Members
Posts: 3.6K, Visits: 27K
Reflect doesn't have any native support for VeraCrypt, in fact even the BitLocker support comes courtesy of an official Microsoft package that the Rescue Media wizard simply adds to the WinPE build when that option is selected (plus auto-unlock keys if selected), as opposed to something Macrium built in-house. However, this video shows VeraCrypt running in some sort of environment based on WinPE 3.1 (Win7 kernel).  It looks like it's just VeraCrypt running in Portable Mode, as documented here.  If so, you could simply keep a VeraCrypt Portable folder on your Rescue Media flash drive and then run it either via Command Prompt or Reflect's File Explorer (assuming that supports launching EXEs, which I've never tried), and then you should be able to decrypt VeraCrypt volumes, at which point Reflect operations should work as normal.  If you test this, definitely report back since this might be useful to others. Smile


Note however that as far as I know, VeraCrypt does not support encrypting GPT disks that are used for UEFI booting.
Edited 28 June 2017 5:59 AM by jphughan
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
@jphughan

Thank you for the hints!

Reporting back!  
I tried with an external USB HDD (MBR, a VC encrypted non-system partition), booting from MR 6.3 rescue environment (PE10).

The good news.
VeraCrypt-x64.exe does run in WinPE.
MR Explorer does see the decrypted volume as presented by VC.
Therefore, a File and folder backup could be done (I haven't actually tried this last step).

The not-so-good news.
Even after a refresh, MR Imaging still sees an unformatted partition.



Tags
Edited 28 June 2017 10:06 AM by dyhs
Nick
Nick
Macrium Representative
Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)Macrium Representative (2.8K reputation)
Group: Administrators
Posts: 1.6K, Visits: 8.8K
Click the 'Refresh' link in the backup tab to re-load the disks after decryption. 

https://forum.macrium.com/uploads/images/b0ee967e-5310-408e-937c-c2cc.png

If you've already done this and still can't see the disk/volume then I'm afraid it isn't supported. Reflect is reading at disk level and this underneath the VeraCrypt driver. 

The only volume level encryption supported for imaging is BitLocker. There's specialisation in Reflect to detect BitLocker encryption when reading the disk and then read above the BitLocker driver at volume level.  Full Disk encryption is supported for VeraCrypt/TrueCrypt but, I believe Full Disk encryption is only available on system disks for these products.  

Kind Regards

Nick - Macrium Support

Edited 28 June 2017 10:36 AM by Nick
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
Yes, I did click Refresh, but the VC encrypted partition is still seen as Unformatted. Same in Windows Disk Management, which sees it as Raw.
However, like I said, a File and folder backup seems possible, running VC as a portable app in WinPE.
Edited 28 June 2017 10:39 AM by dyhs
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search