Reimaging a Bitlockered computer.
The TPM (security chip) needs to be cleared before re-imaging a previously imaged laptop (i.e. a laptop that was previously encrypted).
Also clear the TPM if you have manually decrypted a laptop (via Control Panel > BitLocker or via cmd line "manage-bde") and plan to re-encrypt it.
If your BIOS (UEFI) looks different, take a picture and post in #temp-encryption.
- For Dells - BIOS menu may be a bit different on different model laptops:
- Start/Restart the computer, and press F2 to enter the bios setup.
- Click unlock and give the standard BIOS password.
- Navigate to Settings > Security > TPM Security.
- Note if it says "TPM" or "TPM 2"
- Click the "Clear" radio button or checkbox.
- If prompted about clearing the TPM chip, click yes/ok.
- Save your changes, reboot.
- If your BIOS has TPM 2, go back into the BIOS, click unlock, give the bios password.
- Uncheck the box next to - TPM On
- Save your changes, reboot.
- Reboot to the MDT stick and re-image/provision.
- For Lenovos
- Start/Restart the computer, and press F1 to entire the Bios setup.
- Navigate to the TPM menu, and select clear (needs confirmation).
- Reboot to the MDT stick and re-image/provision.
- For Surfaces (below worked on a Surface 4 Pro. It is also possible that some Surfaces don't need the TPM manually cleared. YMMV)
- In Windows:
- Go to Start > Settings > Update & Security > Windows Security > Device security. This will launch the Windows Defender Security Center.
- Select Device Security again, and then under Security processor, select Security processor details.
- On the next screen, select Security processor troubleshooting, and then under Clear TPM click on the Clear TPM button.
- (if there are no TPM options in settings, that means that your TPM may be off.)
- Reboot to the MDT stick and re-image/provision.
Mounting a BitLockered drive in WinPE (MDT Boot Environment)
- Boot up the PC using the newest release of ourMDT USB boot image.
- Wait for the MDT control console to launch, and press F8 and you should see a CMD prompt launch.
- Type of the following command:
- manage-bde -unlockc:-recoverypassword <recovery key>
- "C:" is the volume letter you're trying to unlock/mount.
Recovering data from a BitLockered drive in PE.
**Below assumes you already have booted into the SASC MDT USB imaging environment and already followed the above instructions to unlock the BitLockered volume.
Method one (via the SASCbackup tool)
- Insert a USB storage device large enough to hold the volume you're backing up and/or the user directory.
- If the drive does not show up, reboot with the USB drive inserted and it will.
- Press F8 to load the command shell (CMD), enter "menu" at the prompt, and select option 1. Follow the linked instructions above to start a backup.
Method two (Copy data to a file share or to a local USB drive)
- Mount file share by doing one of the following.
- Press F8 and use the following command.
- net use * \\sharename /user:useraccountname
- Launch explorer from the DART tools and do the following.
- Click Tools > Map Network Drive
- Enter required server/account information and press OK
- From Explorer in the DART tools copy data from local machine to network share.
- Explorer can also be used to copy data directly to an external USB drive.
How to totally Decrypt a BitLockered drive.
Method One (from an SASC MDT stick)
- Boot up the PC usuing the newest release of ourMDT USB boot image.
- Wait for the MDT control console to launch, and press F8 and you should see a CMD prompt launch.
- Type the following commands ("C:" is the volume letter you're trying to unlock/mount):
- manage-bde -unlock C: -recoverypassword <recovery key>
- manage-bde -off C:
- You’ll be able to see the percentage of decryption from the command line:
- manage-bde -status
Method Two (from installed operating system)
- In the installed operating system, open a new Explorer window.
- Select "This PC" if its not already selected from the left hand panel.
- Right click on the system drive (usually C) and click "Manage BitLocker." Enter your admin credentials when prompted.
- In the subsequent window entitled "BitLocker Drive Encryption" click "Turn off BitLocker"
- Click "Turn off BitLocker" in the notification box.
How and When to suspend BitLocker on a local volume.
When you should suspend BitLocker.
- When updating system firmware (bios)
- Upgrading or replacing system hardware.
- Upgrading operating system.
** Bitlocker automatically returns to the locked state after the next reboot after being suspended.
How to suspend BitLocker.
- In the installed operating system, in this case Windows10 open a new Explorer window.
- Select "This PC" if its not already selected from the left hand pannel.
- Right click on the system drive (usually C) and click "Manage BitLocker." Enter your admin credentials when prompted
- In the subsequent window entitled "BitLocker Drive Encryption" click "Suspend Protection"
- Click "Yes" in notification box.