In this guide, I'll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you'll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore.

Backup with wbadmin

With wbadmin.exe, Windows clients have a built-in command line tool to create system images.

Creating a backup with Wbadmin

Creating a backup with Wbadmin

You can back up to a USB drive or a network location. You can also use the built-in task scheduler to schedule backups that work with the system account as executor.

Restore with wbadmin

If the system you are trying to restore from backup still boots, press Shift while clicking Restart. Then, at the next boot, select:

Troubleshoot > Advanced options > Show more recovery options > System image recovery

If the system does not boot and the recovery environment is unavailable, you will need to boot from a USB setup drive and select Repair my computer to get to system image recovery.

For this article, let us assume that the backup is on a local drive. After choosing System image recovery, the process starts with this screen:

Beginning the restore process

Beginning the restore process

Restore a BitLocker-encrypted drive

If the system is encrypted with BitLocker, you'll receive this message when you restore the system image:

System Image Recovery

Enter the recovery key to get going again (Keyboard Layout: US)

Recovery key request after restoring a BitLocker encrypted system drive

Recovery key request after restoring a BitLocker encrypted system drive

After entering the recovery key, the restore process proceeds normally. At the end, you'll receive the message that the restored drives are not encrypted.

The restored drives are not encrypted

The restored drives are not encrypted

When the system boots up, you'll have to re-encrypt. The problem with this procedure is that re-encryption takes time. In addition, the protectors, such as the user startup PIN, need to be configured again and securely shared with the user. Can't we avoid this?

It turns out we can, using the third-party tool Snapshot. Download the trial as x64 version, select Backup disk to file, and while BitLocker is active, select all partitions of C:.

Selecting the volumes for a backup with Snapshot

Selecting the volumes for a backup with Snapshot

As the destination file, select your backup path E:, followed by $disk.sna, as shown in the following screenshot:

Creating an image with Drive Snapshot 2 of 2

Creating an image with Drive Snapshot 2 of 2

To restore the image when your Windows is still running, you won't need boot media; just select "Restore disk from file." Or, if you want to simulate disaster recovery, boot Windows setup from a USB stick that holds snapshot.exe (x64) in its root folder, and press Shift F10 for a command line. There, mount the encrypted drive using the recovery key before you call snapshot.exe, as in D:\snapshot.exe, and restore.

Bare metal restore with Snapshot

Bare metal restore with Snapshot

A short time later, Snapshot has restored the image, Windows boots, and C: is still encrypted.

Lessons learned

System restores only occur occasionally. If you only recently began to BitLocker-encrypt your system, please make sure to test the restore process.

Some backup programs are able to write to an encrypted disk, allowing you to skip the step of re-encrypting. Make sure to verify this with your own backup solution, as it can save you lots of time.

Isn't it amazing that the built-in Windows backup tool is unable to create encrypted restores, whereas this tiny third-party backup program with only 500 KB in size has mastered this task with ease?


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account