BitLocker Frequently Asked Questions.

 

Reimaging a Bitlockered computer.

The TPM (security chip) needs to be cleared before re-imaging a previously imaged laptop (i.e. a laptop that was previously encrypted).

Also clear the TPM if you have manually decrypted a laptop (via Control Panel > BitLocker or via cmd line "manage-bde") and plan to re-encrypt it.

 

If your BIOS (UEFI) looks different, take a picture and post in #temp-encryption.

  • For Dells - BIOS menu may be a bit different on different model laptops:
    • Start/Restart the computer, and press F2 to enter the bios setup.
    • Click unlock and give the standard BIOS password.
    • Navigate to Settings > Security > TPM Security. 
    • Note if it says "TPM" or "TPM 2"
    • Click the "Clear" radio button or checkbox.
    • If prompted about clearing the TPM chip, click yes/ok.
    • Save your changes, reboot.
    • If your BIOS has TPM 2, go back into the BIOS, click unlock, give the bios password.
    • Uncheck the box next to - TPM On
    • Save your changes, reboot.
    • Reboot to the MDT stick and re-image/provision.
  • For Lenovos
    • Start/Restart the computer, and press F1 to entire the Bios setup.
    • Navigate to the TPM menu, and select clear (needs confirmation).
    • Reboot to the MDT stick and re-image/provision.
  • For Surfaces (below worked on a Surface 4 Pro. It is also possible that some Surfaces don't need the TPM manually cleared. YMMV)
    • In Windows:
    • Go to Start  > Settings  > Update & Security  > Windows Security > Device security. This will launch the Windows Defender Security Center.
    • Select Device Security again, and then under Security processor, select Security processor details.
    • On the next screen, select Security processor troubleshooting, and then under Clear TPM click on the Clear TPM button.
    • (if there are no TPM options in settings, that means that your TPM may be off.)
    • Reboot to the MDT stick and re-image/provision.

 

 

Mounting a BitLockered drive in WinPE (MDT Boot Environment)

  • Boot up the PC using the newest release of our MDT USB boot image
  • Wait for the MDT control console to launch, and press F8 and you should see a CMD prompt launch.
  • Type of the following command:
    • manage-bde -unlock c: -recoverypassword <recovery key>
    • "C:" is the volume letter you're trying to unlock/mount.

 

Recovering data from a BitLockered drive in PE. 

**Below assumes you already have booted into the SASC MDT USB imaging environment and already followed the above instructions to unlock the BitLockered volume.

Method one (via the SASC backup tool)

  • Insert a USB storage device large enough to hold the volume you're backing up and/or the user directory.
    • If the drive does not show up, reboot with the USB drive inserted and it will.
  • Press F8 to load the command shell (CMD), enter "menu" at the prompt, and select option 1. Follow the linked instructions above to start a backup.

 

Method two (Copy data to a file share or to a local USB drive)

  • Mount file share by doing one of the following.
    • Press F8 and use the following command.
      • net use * \\sharename /user:useraccountname
    • Launch explorer from the DART tools and do the following.
      • Click Tools > Map Network Drive
      • Enter required server/account information and press OK
  • From Explorer in the DART tools copy data from local machine to network share.
  • Explorer can also be used to copy data directly to an external USB drive. 

 

How to totally Decrypt a BitLockered drive.

Method One (from an SASC MDT stick)

  • Boot up the PC usuing the newest release of our MDT USB boot image
  • Wait for the MDT control console to launch, and press F8 and you should see a CMD prompt launch.
  • Type the following commands ("C:" is the volume letter you're trying to unlock/mount):
    • manage-bde -unlock C: -recoverypassword <recovery key>
    • manage-bde -off C:
  • You’ll be able to see the percentage of decryption from the command line:
    • manage-bde -status

Method Two (from installed operating system)

  • In the installed operating system, open a new Explorer window.
  • Select "This PC" if its not already selected from the left hand panel.
  • Right click on the system drive (usually C) and click "Manage BitLocker." Enter your admin credentials when prompted.
  • In the subsequent window entitled "BitLocker Drive Encryption" click "Turn off BitLocker"
  • Click "Turn off BitLocker" in the notification box.

 

How and When to suspend BitLocker on a local volume.

When you should suspend BitLocker.

  • When updating system firmware (bios)
  • Upgrading or replacing system hardware.
  • Upgrading operating system.

** Bitlocker automatically returns to the locked state after the next reboot after being suspended. 

How to suspend BitLocker.

  • In the installed operating system, in this case Windows10 open a new Explorer window.
  • Select "This PC" if its not already selected from the left hand pannel.
  • Right click on the system drive (usually C) and click "Manage BitLocker." Enter your admin credentials when prompted
  • In the subsequent window entitled "BitLocker Drive Encryption" click "Suspend Protection"
  • Click "Yes" in notification box.