Jul 01 2016

Windows 10 Bitlocker Recovery Gotcha

I recently upgraded my laptop from the now four year old Lenovo W530 to a shiny new Lenovo P50 complete with a Xeon 2.8Ghz CPU, 64GB of RAM and an NVME M.2 boot drive.  Not only did I upgrade the hardware but I also switched from Windows 8.1 to Windows 10.  So far so good.

Being that I’ve always owned laptops, I always try to take precautions against data loss through theft via full disk encryption.  With the release of BitLocker, this has been an remarkably seamless security improvement and I’ve used Bitlocker transparently for years.  So far so good.

During the installation of Bitlocker on my Windows 10 box, I was prompted with this screen:


It seems that since the first release of Windows 10, Microsoft has made changes to Bitlocker, specifically changing the encryption mode to make it more secure.  They specifically call out that the new mode requires at least Windows 10 Build 1511.  Since I had no intention of using anything else, I figured what the heck and selected the New Encryption Mode.  So far so good.

Once everything was setup to my liking, I created a recovery USB key using my favorite home backup software Macrium Reflect.  During the recovery key wizard, it specifically asks what version of WinPE I want and gives me a checkbox to add Bitlocker support.  So far so good.

Then comes time to test it.  I boot off the key and launch into the Macrium Recovery environment . Everything looks like great except my C: drive is not present.

So I try running manage-bde –status C: and instead of seeing the details of the drive I get the parameter is incorrect.

Next I try to unlock the drive manually with the recovery key using manage-be –unlock c: –recoverypassword [recoverykey].  The returned text said The password cannot unlock volume C:.  Well that’s not good.

The thing is, I have a second drive in my system I moved over from the previous computer and it was already encrypted with Bitlocker, albeit from Windows 8.1.  It worked flawlessly and transparently.

I didn’t piece it together immediately but I’m sure based on how I’ve described this you can see the problem.  The XTS-AES Bitlocker decryption process requires Windows 10 10586 but the Windows PE version provided by Macrium Reflect is still based on Windows 10 10240.

I’ve opened a ticket with Macrium to make sure they are aware of this.  But for now I guess my best option is to simply decrypt and re-encrypt the drive using the “compatible mode”.  Either that or copy the manage-bde.exe from build 1511 to my USB key and see if that’ll let me decrypt the drive.  Is that dangerous?  One way to find out.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">