TBWinRE Suggestion: Automatically unlock Bitlockered drives
TBWinRE Suggestion: Automatically unlock Bitlockered drives
In TBWinRE, my Bitlockered drives come up as C:, D:, E:, and F:, and my OS drive is F:. None of these assignments match the ones I use in Windows, and several are the same size, so I have no way to identify them except to unlock them. It would be nice if TBWinRE had the ability to do this automatically by scanning the USB stick where I store recovery keys. For non-OS drives, manage-bde will even tell you exactly which file is needed. The OS drive is not so fortunate, but it could still be unlocked by iterating over the key files and trying each in turn. I don't think failures would trigger a lockout period, but I could be wrong. It arguably doesn't matter as much for the OS drive anyway, as I can suspend Bitlocker before booting into TBWinRE. This results in the OS drive being unlocked, but the data drives are still locked, even though they are auto-unlock in the normal Windows environment, so automatically unlocking them in TBWinRE would still be a valuable feature.
Re: TBWinRE Suggestion: Automatically unlock Bitlockered drives
Unfortunately, no.
-
TeraByte Support(PP)
- Posts: 1646
- Joined: Fri Aug 12, 2011 12:51 am
Re: TBWinRE Suggestion: Automatically unlock Bitlockered drives
If you use the BootWIM method you could create a .cmd script to suspend all the drives and then run TBWinPE with the desired /bootwim parameters. If you're using the boot media, you could add the necessary files to the build and run them on startup (e.g. RunScript.cmd). Or, configure the build to search for the boot media and create an autorun.cmd script on the boot media (TBData\autorun.cmd) to handle it without needing to add them to the build.
Re: TBWinRE Suggestion: Automatically unlock Bitlockered drives
Ah, I learned something today. I thought I was familiar with manage-bde, but I didn't know about using -protectors -disable/enable on data drives. Suspension of data drives isn't exposed in the Manage Bitlocker control panel, so I didn't think it was possible. Turns out it is, but with one important difference, it has to be manually resumed. That is, unlike the OS partition, encryption won't be automatically resumed after you reboot. I don't want to do this, at least not as SOP for partitions I don't intend to restore.
This seems to get me back to my original idea, which is a feature "Unlock Bitlockered drives" that brings up a file selector to choose the directory containing the keys, which would be on a different USB stick than my TBWinRe installation, and proceeds to unlock the drives. I see how to do it using manage-bde, but I don't want to have to write a script for it. That's why it would be a neat feature to add.
This seems to get me back to my original idea, which is a feature "Unlock Bitlockered drives" that brings up a file selector to choose the directory containing the keys, which would be on a different USB stick than my TBWinRe installation, and proceeds to unlock the drives. I see how to do it using manage-bde, but I don't want to have to write a script for it. That's why it would be a neat feature to add.