Unlock BitLocker under Windows PE

In this article, you will learn how to create a Windows PE 3.0 installation that you can use to unlock BitLocker encrypted drives with the manage-bde command.

Michael PietroforteMVP By Michael Pietroforte - Wed, January 26, 2011 - 10 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.

A disadvantage of hard drive encryption is that you can’t easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn’t boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?

One option is to boot up from your Windows PE rescue USB stick, unlock the BitLocker encrypted drive, retrieve the important data, and be a hero. Another option would be to look for another job, but we won’t pursue this problem solution here.

To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:

ERROR: An error occurred (code 0×80040154):
Class not registered

Not nice if your impatient manager is looking over your shoulder, claiming that she has booked a business class flight that will not wait for her. To avoid this embarrassing situation, you’d better have a Windows PE rescue stick at hand where all Windows PE WMI classes have been installed.

To create a Windows PE installation that you can use to unlock BitLocker encrypted drives, you have to download the Windows AIK (WAIK) for Windows 7, install the WAIK, launch the Deployment Tools Command Prompt with admin privileges, and then follow this procedure:

Create a Windows PE WIM image to unlock BitLocker

If you prefer to boot Windows PE from a DVD or CD, you can create a bootable ISO file with this command:

Under Windows 7, you can create the bootable Windows PE DVD through the context menu of the ISO file. I have already explained in detail how to create a bootable Windows PE USB stick before, so I won’t repeat this procedure here.

Unlock BitLocker with manage-bde

Once you have booted up Windows PE, you can unlock the BitLocker encrypted system drive with this command:

Unlock BitLocker Windows.PE

I assume here that you have stored all BitLocker recovery keys either in Active Directory or at another safe place. Of course, without a recovery key, you can’t access a BitLocker encrypted drive from a second Windows installation. After all, that is the point of encrypting hard drives.

Unlock BitLocker Windows PE - Recovery Key

Tip: Copy the recovery key file to your USB stick before you boot up. Then you can open the recovery key file with Notepad and paste the key on the command line.

Manage-bde also has the recoverykey parameter, which is supposed to allow you to read the recovery key file from a drive:

However, when I tried this option I only got this error message:

ERROR: An error occurred while attempting to read the key from disk.

I got the same error message under Windows 7, so I somehow think there is a bug involved because the recovery key worked fine. Please let me know if this option worked for you.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

10 Comments- Leave a Reply

  1. kantzy says:

    As mentioned 48 digit RecoveryKey works but i am wondering if it is possible to unlock the drive using the PIN which prompts when the system boots.
    I am getting an error whey i try unlocking using the PIN.

    “ERROR: An error occurred while attempting to read the key from disk.” – should the file be with a .BEK extension?
    Source: http://msmvps.com/blogs/erikr/archive/2008/04/20/bitlocker-and-winpe.aspx

  2. Yeah, I also wondered if the BEK extension has something to do with the problem, but there is no way to create BEK files in Windows 7. I think BEK was for Vista. I didn’t see a switch in manage-bde that allows you to use the PIN.

  3. CypherBit says:

    I’m having some problems with this. When I execute: manage-bde -unlock c: -recoverykey

    I get:

    ERROR: An error occurred (code 0×80070424):
    The specified service does not exist as an installed service

    Any ideas, WMI is added.

  4. CypherBit says:

    I build another one and it works now. The problem was I was copying over an older SYSTEM HIVE (needed it when implementing PointSec).

  5. Robert says:

    I am also getting the
    ERROR: An error occurred while attempting to read the key from disk.
    trying to make a batch file that sits on the desktop that i can just double click when the drive is in the computer. I have tried renaming the file, moving the file and about 15 other things that didn’t work… would there be a architecture related error since i have 64 bit? I have ran into problems like this before with WAIK architecture issues. no luck though to bad there is not a lot of information out there about it.

  6. Jason says:

    Michael, thank you for this article. I recently ran into an issue in accessing my Bitlocker encrypted drive and after a lot of frustration with the disk-read error I found your post – this has saved me hours of head scratching. Thank you thank you!

  7. Tung says:

    Hi,

    I have created a bootalbe USB. And WinPE is working but when i type manage-bde -unlock c: -recoverypassword . Its just open the manage-bde.wfs file. Need help please..i have the recovery code.

  8. Ryan Prosser says:

    I was able to do this via the following:
    manage-bde -unlock D: -rp XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
    It then stated “The password successfully unlocked volume D:”
    The X’s represent the password that was in the “BitLocker Recovery Key…..txt” file

  9. khan says:

    Thanks for the great info.

    I would like to know if the same procedure applies to Winpe_64. I am actually trying to make WinPE for 64 bit architecture.

  10. Mike says:

    Would it be possible to create an MDT Task to do this?
    My client uses Bitlocker for all computers and to do a Refresh using Winpe (format and repartition)
    I have a task to do an offline USMT and would need to disable bitlocker to get the data before wiping the drive

===Leave a Comment===

Login

Lost your password?