Unlock BitLocker under Windows PE

In this article, you will learn how to create a Windows PE 3.0 installation that you can use to unlock BitLocker encrypted drives with the manage-bde command.
Profile gravatar of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile gravatar of Michael Pietroforte

A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.

A disadvantage of hard drive encryption is that you can't easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn't boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?

One option is to boot up from your Windows PE rescue USB stick, unlock the BitLocker encrypted drive, retrieve the important data, and be a hero. Another option would be to look for another job, but we won't pursue this problem solution here.

To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:

ERROR: An error occurred (code 0x80040154):
Class not registered

Not nice if your impatient manager is looking over your shoulder, claiming that she has booked a business class flight that will not wait for her. To avoid this embarrassing situation, you'd better have a Windows PE rescue stick at hand where all Windows PE WMI classes have been installed.

To create a Windows PE installation that you can use to unlock BitLocker encrypted drives, you have to download the Windows AIK (WAIK) for Windows 7, install the WAIK, launch the Deployment Tools Command Prompt with admin privileges, and then follow this procedure:

Create a Windows PE WIM image to unlock BitLocker ^

If you prefer to boot Windows PE from a DVD or CD, you can create a bootable ISO file with this command:

Under Windows 7, you can create the bootable Windows PE DVD through the context menu of the ISO file. I have already explained in detail how to create a bootable Windows PE USB stick before, so I won't repeat this procedure here.

Unlock BitLocker with manage-bde ^

Once you have booted up Windows PE, you can unlock the BitLocker encrypted system drive with this command:

Unlock BitLocker Windows.PE

I assume here that you have stored all BitLocker recovery keys either in Active Directory or at another safe place. Of course, without a recovery key, you can't access a BitLocker encrypted drive from a second Windows installation. After all, that is the point of encrypting hard drives.

Unlock BitLocker Windows PE - Recovery Key

Tip: Copy the recovery key file to your USB stick before you boot up. Then you can open the recovery key file with Notepad and paste the key on the command line.

Manage-bde also has the recoverykey parameter, which is supposed to allow you to read the recovery key file from a drive:

However, when I tried this option I only got this error message:

ERROR: An error occurred while attempting to read the key from disk.

I got the same error message under Windows 7, so I somehow think there is a bug involved because the recovery key worked fine. Please let me know if this option worked for you.

Related Posts

21 Comments
  1. avatar
    kantzy 6 years ago

    As mentioned 48 digit RecoveryKey works but i am wondering if it is possible to unlock the drive using the PIN which prompts when the system boots.
    I am getting an error whey i try unlocking using the PIN.

    "ERROR: An error occurred while attempting to read the key from disk." - should the file be with a .BEK extension?
    Source: http://msmvps.com/blogs/erikr/archive/2008/04/20/bitlocker-and-winpe.aspx

    0
  2. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 6 years ago

    Yeah, I also wondered if the BEK extension has something to do with the problem, but there is no way to create BEK files in Windows 7. I think BEK was for Vista. I didn't see a switch in manage-bde that allows you to use the PIN.

    0
  3. avatar
    CypherBit 6 years ago

    I'm having some problems with this. When I execute: manage-bde -unlock c: -recoverykey

    I get:

    ERROR: An error occurred (code 0x80070424):
    The specified service does not exist as an installed service

    Any ideas, WMI is added.

    0
  4. avatar
    CypherBit 6 years ago

    I build another one and it works now. The problem was I was copying over an older SYSTEM HIVE (needed it when implementing PointSec).

    0
  5. avatar
    Robert 6 years ago

    I am also getting the
    ERROR: An error occurred while attempting to read the key from disk.
    trying to make a batch file that sits on the desktop that i can just double click when the drive is in the computer. I have tried renaming the file, moving the file and about 15 other things that didn't work... would there be a architecture related error since i have 64 bit? I have ran into problems like this before with WAIK architecture issues. no luck though to bad there is not a lot of information out there about it.

    0
  6. avatar
    Jason 5 years ago

    Michael, thank you for this article. I recently ran into an issue in accessing my Bitlocker encrypted drive and after a lot of frustration with the disk-read error I found your post - this has saved me hours of head scratching. Thank you thank you!

    0
  7. avatar
    Tung 4 years ago

    Hi,

    I have created a bootalbe USB. And WinPE is working but when i type manage-bde -unlock c: -recoverypassword . Its just open the manage-bde.wfs file. Need help please..i have the recovery code.

    0
  8. avatar
    Ryan Prosser 4 years ago

    I was able to do this via the following:
    manage-bde -unlock D: -rp XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
    It then stated "The password successfully unlocked volume D:"
    The X's represent the password that was in the "BitLocker Recovery Key.....txt" file

    0
  9. avatar
    khan 4 years ago

    Thanks for the great info.

    I would like to know if the same procedure applies to Winpe_64. I am actually trying to make WinPE for 64 bit architecture.

    0
  10. avatar
    Mike 3 years ago

    Would it be possible to create an MDT Task to do this?
    My client uses Bitlocker for all computers and to do a Refresh using Winpe (format and repartition)
    I have a task to do an offline USMT and would need to disable bitlocker to get the data before wiping the drive

    0
  11. avatar
    BrianS 2 years ago

    Thanks Michael, very nice work, I was able to access my encrypted boot drive that wouldn't boot due to some corruption but now I've all my data files copied to another drives. So many thanks to you.

    0
  12. avatar
    Lode 9 months ago

    I do not have the recovery key, only the PIN. In order to generate the recovery key, I need admin access (which I do not have). I tried already booting a linux cd to crack the admin password, but I always need the recovery key to mount the locked drive.

    Is there a way to generate the recovery key without admin access?

    Or mount the locked drive in linux or windows PE with the PIN only?

    0
  13. avatar
    Rob 9 months ago

    I may be wrong but the pin is all you need to unlock it under pe. When i boot mine under pe i have to type in the password, or what i would call the pin an its unlocked.

    0
  14. avatar
    Tariyel 8 months ago

    manage-bde -unlock D: -recoverypassword 1111-2222-3333 ..... is working.Thanks.

    I use this command as .bat file.How can I use my bitlocker password like this command?

    I  want to use only my password not recovery key.How can I do it? thanks a lot..

    1+
  15. avatar
    Rob 8 months ago

    I would guess "manage-bde -unlock D: -password abc123"

    0
  16. avatar
    Tariyel 8 months ago

    Rob - this code doesn't work windows server 2012.I tested as Run administrator but again doesn't work.

    0
  17. avatar
    Rob 8 months ago

    Alright. I went back an found the code that I used.

    manage-bde -unlock G: -pw

    This will need a password typed in afterwards.

    0
  18. avatar
    Tariyel 8 months ago

    Rob - I know this code.I used it and this code is working.I need code to unlock automatically open drive and I don't want to type password.I think my idea isn't real )) .Thanks Rob for all answers...

    0
  19. avatar
    Lode 8 months ago

    Does this also work with the 4 number pin when booting? Because that's the only password I have.

    0
  20. avatar
    Rob 8 months ago

    Tariyel - You had said you tested it on a server, are you wanting it for a server or for PE? Also, if your automating the unlocking process what makes the difference in using the password or the recovery password? If it is automated you don't interact with it.

    Lode - Sorry I don't know of 4 numbers that can unlock bitlocker
    you can have a recoverypassword that's a lot more then 4 numbers

    you can have a recoverykey that's the file.
    I'm not sure if the password could be just four numbers but if it can then yes to your question.

    0
  21. avatar
    Carlos 8 months ago

    I had a Lenovo X1 with a bad OS and unique encrypted hard drive that I couldn't just get on another computer as a slave and this worked for me like a charm, I do work on a 64 bit environment and got a little error creating the iso about 32 bit environment over 64 bit. I just ignored the error and moved along with the flash drive creation. Booted up and follow the manage-bde command syntax instructions, I did had to remove the dashes (-) within the recovery key. Once I gained access to the drive I was able to move the data.

    Thanks for this post

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?

Create Account