- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.
A disadvantage of hard drive encryption is that you can't easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn't boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?
One option is to boot up from your Windows PE rescue USB stick, unlock the BitLocker encrypted drive, retrieve the important data, and be a hero. Another option would be to look for another job, but we won't pursue this problem solution here.
To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:
ERROR: An error occurred (code 0x80040154):
Class not registered
Not nice if your impatient manager is looking over your shoulder, claiming that she has booked a business class flight that will not wait for her. To avoid this embarrassing situation, you'd better have a Windows PE rescue stick at hand where all Windows PE WMI classes have been installed.
To create a Windows PE installation that you can use to unlock BitLocker encrypted drives, you have to download the Windows AIK (WAIK) for Windows 7, install the WAIK, launch the Deployment Tools Command Prompt with admin privileges, and then follow this procedure:
Create a Windows PE WIM image to unlock BitLocker
copype.cmd x86 c:\winpe_x86 dism /mount-wim /wimfile:c:\winpe_x86\winpe.wim /index:1 /mountdir:c:\winpe_x86\mount dism /image:c:\winpe_x86\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-WMI.cab" dism /unmount-Wim /mountdir:c:\winpe_x86\mount /commit copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
If you prefer to boot Windows PE from a DVD or CD, you can create a bootable ISO file with this command:
oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso
Under Windows 7, you can create the bootable Windows PE DVD through the context menu of the ISO file. I have already explained in detail how to create a bootable Windows PE USB stick before, so I won't repeat this procedure here.
Unlock BitLocker with manage-bde
Once you have booted up Windows PE, you can unlock the BitLocker encrypted system drive with this command:
manage-bde -unlock c: -recoverypassword <recovery key>
I assume here that you have stored all BitLocker recovery keys either in Active Directory or at another safe place. Of course, without a recovery key, you can't access a BitLocker encrypted drive from a second Windows installation. After all, that is the point of encrypting hard drives.
Tip: Copy the recovery key file to your USB stick before you boot up. Then you can open the recovery key file with Notepad and paste the key on the command line.
Manage-bde also has the recoverykey parameter, which is supposed to allow you to read the recovery key file from a drive:
manage-bde -unlock c: -recoverykey <recovery key file>
However, when I tried this option I only got this error message:
ERROR: An error occurred while attempting to read the key from disk.
I got the same error message under Windows 7, so I somehow think there is a bug involved because the recovery key worked fine. Please let me know if this option worked for you.
As mentioned 48 digit RecoveryKey works but i am wondering if it is possible to unlock the drive using the PIN which prompts when the system boots.
I am getting an error whey i try unlocking using the PIN.
“ERROR: An error occurred while attempting to read the key from disk.” – should the file be with a .BEK extension?
Source: http://msmvps.com/blogs/erikr/archive/2008/04/20/bitlocker-and-winpe.aspx
Yeah, I also wondered if the BEK extension has something to do with the problem, but there is no way to create BEK files in Windows 7. I think BEK was for Vista. I didn’t see a switch in manage-bde that allows you to use the PIN.
I’m having some problems with this. When I execute: manage-bde -unlock c: -recoverykey
I get:
ERROR: An error occurred (code 0x80070424):
The specified service does not exist as an installed service
Any ideas, WMI is added.
I build another one and it works now. The problem was I was copying over an older SYSTEM HIVE (needed it when implementing PointSec).
I am also getting the
ERROR: An error occurred while attempting to read the key from disk.
trying to make a batch file that sits on the desktop that i can just double click when the drive is in the computer. I have tried renaming the file, moving the file and about 15 other things that didn’t work… would there be a architecture related error since i have 64 bit? I have ran into problems like this before with WAIK architecture issues. no luck though to bad there is not a lot of information out there about it.
Michael, thank you for this article. I recently ran into an issue in accessing my Bitlocker encrypted drive and after a lot of frustration with the disk-read error I found your post – this has saved me hours of head scratching. Thank you thank you!
Hi,
I have created a bootalbe USB. And WinPE is working but when i type manage-bde -unlock c: -recoverypassword . Its just open the manage-bde.wfs file. Need help please..i have the recovery code.
I was able to do this via the following:
manage-bde -unlock D: -rp XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
It then stated “The password successfully unlocked volume D:”
The X’s represent the password that was in the “BitLocker Recovery Key…..txt” file
Thanks for the great info.
I would like to know if the same procedure applies to Winpe_64. I am actually trying to make WinPE for 64 bit architecture.
Would it be possible to create an MDT Task to do this?
My client uses Bitlocker for all computers and to do a Refresh using Winpe (format and repartition)
I have a task to do an offline USMT and would need to disable bitlocker to get the data before wiping the drive
Thanks Michael, very nice work, I was able to access my encrypted boot drive that wouldn’t boot due to some corruption but now I’ve all my data files copied to another drives. So many thanks to you.
I do not have the recovery key, only the PIN. In order to generate the recovery key, I need admin access (which I do not have). I tried already booting a linux cd to crack the admin password, but I always need the recovery key to mount the locked drive.
Is there a way to generate the recovery key without admin access?
Or mount the locked drive in linux or windows PE with the PIN only?
I may be wrong but the pin is all you need to unlock it under pe. When i boot mine under pe i have to type in the password, or what i would call the pin an its unlocked.
manage-bde -unlock D: -recoverypassword 1111-2222-3333 ….. is working.Thanks.
I use this command as .bat file.How can I use my bitlocker password like this command?
I want to use only my password not recovery key.How can I do it? thanks a lot..
I would guess “manage-bde -unlock D: -password abc123”
Rob – this code doesn’t work windows server 2012.I tested as Run administrator but again doesn’t work.
Alright. I went back an found the code that I used.
manage-bde -unlock G: -pw
This will need a password typed in afterwards.
Rob – I know this code.I used it and this code is working.I need code to unlock automatically open drive and I don’t want to type password.I think my idea isn’t real )) .Thanks Rob for all answers…
Does this also work with the 4 number pin when booting? Because that’s the only password I have.
Tariyel – You had said you tested it on a server, are you wanting it for a server or for PE? Also, if your automating the unlocking process what makes the difference in using the password or the recovery password? If it is automated you don’t interact with it.
Lode – Sorry I don’t know of 4 numbers that can unlock bitlocker
you can have a recoverypassword that’s a lot more then 4 numbers
you can have a recoverykey that’s the file.
I’m not sure if the password could be just four numbers but if it can then yes to your question.
I had a Lenovo X1 with a bad OS and unique encrypted hard drive that I couldn’t just get on another computer as a slave and this worked for me like a charm, I do work on a 64 bit environment and got a little error creating the iso about 32 bit environment over 64 bit. I just ignored the error and moved along with the flash drive creation. Booted up and follow the manage-bde command syntax instructions, I did had to remove the dashes (-) within the recovery key. Once I gained access to the drive I was able to move the data.
Thanks for this post
I am trying to add a function to unlock BitLocker (using the correct encryption key available) from a PE disk already created. Is there a way of doing that? I tried reading the instructions above but they seem to be very narrowly defined and leave out a lot of details. I have the PE disk. Is there a file or script I can add to dismount the drive?
I am not sure about being able to add Bitlocker to an already built PE. I can say that I bet it will be easier to learn how to make a PE then it will be doing something Microsoft doesn’t want you to with Bitlocker. Bitlockers not going to dismount anything. I’m not really sure if your asking if you dismount the WMI the PE is built with can you then add WAIK or if your trying to dismount a mounted drive booted in PE.
Will this work in windows 10?
Hi. I have a laptop with the whole disk encripted with BitLocker, Windows 10 boots without ask password because it is auto unlocked with TPM chip.Is there a way to unlock using the TPM chip if I boot with Windows PE?