In this article, you will learn how to create a Windows PE 3.0 installation that you can use to unlock BitLocker encrypted drives with the manage-bde command.
A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.
A disadvantage of hard drive encryption is that you can’t easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn’t boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?
One option is to boot up from your Windows PE rescue USB stick, unlock the BitLocker encrypted drive, retrieve the important data, and be a hero. Another option would be to look for another job, but we won’t pursue this problem solution here.
To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:
ERROR: An error occurred (code 0x80040154):
Class not registered
Not nice if your impatient manager is looking over your shoulder, claiming that she has booked a business class flight that will not wait for her. To avoid this embarrassing situation, you’d better have a Windows PE rescue stick at hand where all Windows PE WMI classes have been installed.
To create a Windows PE installation that you can use to unlock BitLocker encrypted drives, you have to download the Windows AIK (WAIK) for Windows 7, install the WAIK, launch the Deployment Tools Command Prompt with admin privileges, and then follow this procedure:
Create a Windows PE WIM image to unlock BitLocker
copype.cmd x86 c:\winpe_x86
dism /mount-wim /wimfile:c:\winpe_x86\winpe.wim /index:1 /mountdir:c:\winpe_x86\mount
dism /image:c:\winpe_x86\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-WMI.cab"
dism /unmount-Wim /mountdir:c:\winpe_x86\mount /commit
copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
If you prefer to boot Windows PE from a DVD or CD, you can create a bootable ISO file with this command:
oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso
Under Windows 7, you can create the bootable Windows PE DVD through the context menu of the ISO file. I have already explained in detail how to create a bootable Windows PE USB stick before, so I won’t repeat this procedure here.
Unlock BitLocker with manage-bde
Once you have booted up Windows PE, you can unlock the BitLocker encrypted system drive with this command:
manage-bde -unlock c: -recoverypassword <recovery key>
I assume here that you have stored all BitLocker recovery keys either in Active Directory or at another safe place. Of course, without a recovery key, you can’t access a BitLocker encrypted drive from a second Windows installation. After all, that is the point of encrypting hard drives.
Tip: Copy the recovery key file to your USB stick before you boot up. Then you can open the recovery key file with Notepad and paste the key on the command line.
Manage-bde also has the recoverykey parameter, which is supposed to allow you to read the recovery key file from a drive:
manage-bde -unlock c: -recoverykey <recovery key file>
However, when I tried this option I only got this error message:
ERROR: An error occurred while attempting to read the key from disk.
I got the same error message under Windows 7, so I somehow think there is a bug involved because the recovery key worked fine. Please let me know if this option worked for you.