Discussion in 'backup, imaging & disk mgmt' started by Stigg, Nov 23, 2013.
Backups and restores are apparently OK ...
Can you browse the Win10 partition?
Just to conclude, 'manage-bde -status C:' shows the following:
Size: 224,68 GB
Bitlocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100,0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: Numerical Password
Not sure what all that means @Brian K, and if that confirms the partition is unencrypted.
But either way, it forces AOMEI Backupper Pro to do large sector-by-sector images (e.g 180 GB), whereas Macrium Reflect 7 Free and TB IFW do normal +/-44 GB used space images.
Looks like it's an oddity of (Dell and) AB Pro then.
While it's true that BitLocker is exclusive to Windows 10 Pro, as I mentioned in that Dell thread you linked, there is a "Device encryption" feature available in Windows 10 Home that gets activated if the system meets certain hardware requirements, and although it does use BitLocker technology, it has a lot of limitations around manageability, the types of protectors that can be used, the types of disks that can be protected, etc. In terms of where your Recovery Key is, did you link your Windows user account to your Microsoft account? If so, it's probably in the cloud. If not, then I would definitely figure out where that Recovery Key is asap. I've seen a few threads on the Dell forums where people have been bit by this, e.g. after they install a BIOS update (which causes the TPM's platform integrity check to fail) or get a motherboard replaced, they get prompted for a Recovery Key that they don't have.
Making sure you can browse your files in Reflect's Rescue Media environment is not a great test because by default, Reflect's Rescue Media creator adds Recovery Keys for all partitions unlocked at the time of the Rescue Media build into the Rescue Media itself. That allows te Rescue environment to auto-unlock them, which makes it easier to use features like RDR and BitLocker Live Restore. So just because your drive is unlocked there does not mean it is unencrypted. In fact, the manage-bde command you ran clearly indicates the opposite; it says that the partition is encrypted but is currently unlocked. Although I suppose at the very least, that test does mean you have a fallback method of accessing the contents of that drive, and actually if you know your way around Command Prompt, you could copy the stored Recovery Key text file from the Rescue environment somewhere else.
As for AOMEI, did you capture that large image from within Windows? If not and you instead used their equivalent of Rescue Media, then , that would mean it's capturing a sector-by-sector image even while the partition is unlocked. That suggests they're reading the disk at quite a low level, but it also seems inconvenient, since it will dramatically inflate the size of your images, because not only will it have to capture every sector in the partition space, including free space, but it won't be able to use compression because encrypted data doesn't compress. And of course it also means much longer backup and restore times. Lastly, it means that AOMEI didn't use VSS, which definitely wouldn't be ideal for some people's use cases. If you did not capture that AOMEI image from within Windows and instead used something like their equivalent of Rescue Media, then a non-VSS, sector-by-sector image is normal behavior for a BitLocker partition that is currently locked, and Reflect would have done the same thing in that situation if it hadn't had a Recovery Key available to unlock it.
Thanks. Great post.
A clean install of Win 10 would fix any lingering concerns. I have a Dell XPS and did a clean install recently and I am still shocked at how quickly applications open and process. I did this with an 1803 ISO from MS and all of my drivers were picked up cleanly and all the junck Dell stuff is gone of course. I have a data drive Bitlockered it works fine. I have to remember to open it when doing a Macrium operation.
I noticed on a Win 10/pro pc recently a very sluggish boot-up, taking ages to start properly working with long delays in explorer or initial network connections. I tried to roll-back via Image for Windows to a set-up a month ago, hoping this would solve the issue but I was hardly back in business that windows forced all the updates through again. Since I am not sure really what the issue is, I tempted to do a complete reinstall. Based on the above post I looked for where to download the ISO file and found this link: https://www.lifewire.com/download-windows-10-2626215
Just wonder will MS pickup the license automatically or will I have to use any phone activation process. I am not sure and would have to check but I think this is a Dell that was upgraded from Win 7 to Win 10 during the free upgrade process.
The 1809 ISO is not available at present...
Your computer hardware has been "fingerprinted". As soon as Win10 is installed it will be activated automatically.
That page has a link to the direct download page from Microsoft, which is here.
For the license, I've never gotten Windows 10 to display a phone activation option anymore, for what it's worth. But in terms of reactivating, if you have a Windows 10 key embedded in your motherboard and you're installing the same edition (Home vs. Pro), it will get picked up automatically -- although this practice was more common with Win8 than Win10. If your PC was activated with a digital license, which is how Win7 to Win10 upgrades were activated and how most PCs that ship with Win10 are activated, then your new installation will automatically activate when it connects to the Internet because Microsoft will recognize its "fingerprint" from its original activation -- unless of course you've changed a bunch of hardware. Or if your PC was activated with a digital license AND you previously linked your user logon with your Microsoft account, then your Windows license would also be associated with your Microsoft account, in which case it will activate once you relink your Microsoft account. That method works even if your hardware has changed significantly, although I don't know if licenses that were originally OEM can be moved to entirely different PCs that way.
If you go to Settings > Update & Security > Activation, you can see what kind of license you have.
Brian and Jphughan - thanks for the info - I will check the relevant pc next time I am in that office. As to the version I am not sure if it has moved to 1809 or is still on 1803 - just noticed that the last time I used an older image, I did not get time to do anything before the auto-update kicked in, even though I had set it to defer updates. Just wanted to figure out how to do a clean install if necessary using the last official version.
What files are needed to run Macrium Reflect from a custom WinPE?
For example Image for Widnows can be run by just grabbing imagew.exe, imagew64.exe and ifw.ini and putting them into a folder.
Not sure, but it's more than just a few files because it supports adding Microsoft-provided but non-standard WinPE packages, such as support for BitLocker, iSCSI, and soon WiFi. And in addition to the files under \Program Files\Reflect, it has a Drivers folder at the root and a Reflect.cfg file under a different root folder, I think \Boot. However, Reflect's Rescue Media wizard allows you to feed it a custom WIM to use as its starting point, so you could store a copy of your original custom WIM as a baseline, have Reflect modify it, and see what changed.
With my reinstall the Windows 10 home product was automatically activated. I had to go into the Store app and "Install" the pro version. There was no cost involved with the store but it took a call to Microsoft to figure out how to get it done. The activation process was very good once the Store involvement was understood. Note, my call to Microsoft did not involve the activation, it was to understand how to get it done using the store.
On the Dell laptop I did not link my Windows user account to my Microsoft account. I am using a Local Account only.
I have done a number of BIOS updates on this machine (presumably Spectre mitigations), but these have not caused any lockout, so far. Thankfully.
I captured that image within Windows, via a scheduled task - did not use Rescue Media.
No idea how or where to find that Recovery Key. Why does Dell have to force this complicated issue onto a Home user? .
I have no appetite for going through the hoops of contacting their support, or doing a clean install.
If it hadn't been for AOMEI's large images, I would probably never even have noticed or come to the realisation that the partition was encrypted.
Should I try going through the sequence of commands mentioned here?: http://users.isr.ist.utl.pt/~mbayat/hacks/how-to-remove-bitlocker-encryption-in-windows-10/
I wouldn't want to mess anything up. Because I currently have no issues, I am inclined to leave everything as is.
First prize would be to find the Recovery Key ...
Edit: Under Settings, Updates & Security, and below the Windows Insider entry, I have found a 'Device encryption' setting, with an option to 'Turn off'. Is it safe to do this? Will I need the Recovery Key? If it is OK, I suppose I would make new images?
This is what I see ...
It is safe but you have a backup just in case. I didn't need a recovery key.
I do have backups on an external drive, but hopefully these are not encrypted?!
Ok, a bit of clarity here. If your system had BitLocker fully enabled, which it doesn't given the screenshot you attached, then to get the Recovery Key, from that point you would click BitLocker settings, and then in the window that pops up, click "Back up your recovery key". Or you could use an elevated Command Prompt and enter "manage-bde -protectors -get C:", then look for the protector called "Numerical Password". The 48-digit password would be your Recovery Key. But that would be fruitless on your system at this stage. Read on.
So what's going on? According to this KB article from Dell about this, BitLocker is enabled from the factory, but it's not activated until a user links their MS account. Thanks to this thread I just checked my wife's XPS 13 9350 running Win10 Home and no linked MS account, and her system shows the same state that your screenshot does. Doing further digging on her system, from a technical standpoint it appears that at this stage, the data is already encrypted, but since there are no key protectors, BitLocker is essentially permanently "suspended", i.e. the info necessary to decrypt is on the drive in the clear, so it behaves as an unencrypted partition for any environment that knows how to mount BitLockered NTFS partitions. That's why "manage-bde -status" indicates that the partition is 100% encrypted but also says "Protection Status: Off", and getting the protectors returns nothing. I was also just able to enable BitLocker on this system without using an MS account by using manage-bde to create TPM and RecoveryPassword protectors and turn it on. Interesting. And now the Protection Status says "On".
But if you want to completely disable BitLocker rather than "activate" it or leave it in this "staged" state, you can absolutely do that -- no need for a Recovery Key and no worries about any other issues. As for creating new images, keep reading.
It sounds like the AOMEI backups would be encrypted (although they would have backed up a suspended BitLocker partition), but for Reflect, as long as the backups were captured while the partition was unlocked, e.g. from within Windows, the backups would not be encrypted. You can verify this by test mounting your image if you want extra assurance. And if the Reflect images aren't encrypted, you wouldn't need to capture new images if you choose to disable the encryption, since Reflect has been "seeing" the drive as unencrypted all along.
Thanks @jphughan. I really appreciate your detailed investigation, and explanation ... how fortunate your wife had a similar Dell XPS with Win10 Home! A strange approach Dell has here.
I am inclined to just leave it as is, but the advantage of turning it 'off' is probably that AOMEI would then not do sector-by-sector copies. Will think about it.
Interestingly, their support said they would 'optimize the problem in the future', on pointing out that Reflect and IFW did not do this.
Good to know. I suppose then if I run into any issue with 'Turn off' I am covered.
I think I read somewhere and if I understood correctly (unlikely), that it may be set 'on' again due a setting in the BIOS, in the event of a clean install.
But that is another whole can of worms, beyond my pay grade, and I am not going to concern myself with that now.
Once again, thanks.
You're very welcome. Yes, fully disabling BitLocker would benefit AOMEI, although again I don't understand why they'd use their current approach even on drives that had BitLocker fully enabled. The drawbacks to capturing the raw encrypted data even when the partition is unlocked are significant. Turning BitLocker off really won't cause a problem, although your drive will have to go through and decrypt all of the data, but that can be interrupted by restart, shutdown, etc. if needed.
In terms of it getting re-enabled, that wouldn't be the result of a BIOS setting, but it could be the result of Windows. The part that's still unclear to me is whether this Win10 Home "device encryption" feature is simply available but completely disabled on a bog standard Win10 Home install and Dell switches that to a "prepped" state as part of their own routine, or if Win10 Home itself would enter this "prepped" state when installed on systems that met its hardware requirements. I'm guessing it's the former, but I haven't verified.
Apologies to all if my posts were a bit off topic to Reflect, and unique to this Dell / BitLocker setup. But the assistance I received is where this forum comes into it's own.
For those who haven't checked lately, the Reflect 7.2 Beta KB page is getting updated as new features are added to the beta builds. There's some pretty useful new functionality on the horizon. https://knowledgebase.macrium.com/display/KNOW7/New in Macrium Reflect 7.2
I have a few questions on restoring images in a BitLocker system using Macrium. I haven't done these tests with Macrium.
An image is created of the Win10 partition using VSS. Boot media is used to restore the image to the Win10 partition. I assume BitLocker is ON when the restored OS boots and re-encryption isn't needed?
An image is created of the Win10 partition using the Boot Media. An offline image. Boot media is used to restore the image to the Win10 partition. Is BitLocker ON when the restored OS boots? Is re-encryption needed?
An Entire Disk image is created using VSS. Boot media is used to restore the image to the same disk. Is BitLocker ON when the restored OS boots? Is re-encryption needed?
Neither VSS nor the "capture environment" come into play here, at least not directly. What matters is whether the source was unlocked at the time of capture and also whether the target is unlocked at the time of restore and is the same partition "instance" as the original source. Macrium has this KB article that (hopefully) clarifies how this all works. I like the fact that Reflect will always warn you if you're about to restore a partition that had BitLocker in a way that would leave the data unencrypted. Especially before the "BitLocker Live Restore" capability existed, the fact that OS partitions default to just using a TPM protector, which doesn't require the user to enter a password to boot, meant that users could end up restoring their OS partition in a way that removed BitLocker without realizing it.
Hey. Thanks for this link. Always try to read into the forums there but at the same time not enough. Want to definitely see what's being added and how it might be beneficial on this end. MR just wrapped up a couple of perfect 8.1 restores for replacing where 10 was being planned and things run like a brand new install again.
Hi! anyone know when MR 7.2 final is going to be released? any ETA? thanks!