Bitlocker/OneDrive
Hallo zusammen,
kann ATI 2019 mittlerweile mit der Version W10 1809 umgehen, wenn das System mit Bitlocker verschlüsselt ist?
Genauer: Kann ich ein Systemimage restoren, wenn es vom verschlüsselten System erstellt wurde?
Und kann die aktuelle Version wieder Dateien sichern, die lokal liegen und mit OneDrive synchronisiert werden?
Beste Grüße,
wisch
HI Steve,
I'm not sure I got it right. Do you need to decrypt a system drive encrypted with Bitlocker before backing it up?
And if no, can you make a restore to an encrypted system that is corrupt?
Best regards,
Swisch
Swisch, if you create the backup from Windows using ATI, then BitLocker is unlocked and ATI is able to access all data on the drive for the backup image without needing to decrypt the drive. The backup image that you create in this way is not encrypted by BitLocker, so you would need to re-enable BitLocker encryption if you recover the backup image to a new drive or the same drive.
The first action of any disk recovery or restore is to wipe the target disk drive, so any corrupt drive would be wiped in this action to allow the recovery to be performed.
Ok, thank you Steve!
One more question: Has this only been the case since this year?
Best regards,
wisch
No, this has been this way for many versions of ATI as shown in the KB document.
HI Steve
I have just bought and installed the 2019 version.
What do you need to enter in server settings for notifications?
Best regards,
wisch
wisch, please see KB 59265: Acronis True Image: how to set up email notifications about backup status - which should help you with setting up notifications.
Hi Steve
Muchos gracias :-)
wisch
HI Steve,
One more thing: Would you have provided me with a guide to an emergency medium with MVP_ATIPEBuilder_v182_signed?
Edit: I mainly need the graphics driver and the function for the bitlocker.
Best regards,
wisch
With the MVP Custom tool, you should be able just extract this to the root of a drive, then run the main .exe as Administrator and follow the prompts within the tool script.
For your graphics driver, take the option to inject drivers from your computer (assuming it is the same one) and then later, take the option to include BitLocker support.
If you want to unlock BitLocker from the rescue media, then you should create a small batch file and store this on the rescue media along with an exported copy of your BitLocker key in a text file.
BitLockerUnlock.bat
rem Unlock BitLocker protected drive from WinPE manage-bde -unlock d: -rk BitLockerRecoveryKey.txt
The BitLocker key should be in the BitLockerRecoveryKey.txt file.
HI Steve,
So, I downloaded Dell's graphics driver. You have the choice of either installing or unpacking. I have unpacked and put the many files in the folder copied:
ATI_PE_BUILDER-20181218T140016Z-001\ATI_PE_BUILDER\Advanced\MVP_ATIPEBuilder_v182_signed\MVP_ATIPEBuilder_v182\Drivers_Custom\x64\Graphics
copied.
But in the batch file, you could pick the screen resolution. However, I do not know whether this was possible thanks to the inserted drivers.
So, now I'm recreating the boat medium with the bitlocker key.
Best regards,
wisch
Hi Steve
It is very late by now and I am afraid that I am now rude to you.
We can continue tomorrow if it's too late for you.
So, I copied the batch file and text file to the boat medium and then booted it.
First, I started the batch file. Unfortunately, I get an error message, see photo.
Best regards,
wisch
wisch, you may need to adjust the batch file command to point to the drive letter being used by your encrypted drive if this is not using d: as used in the example command.
manage-bde -unlock d: -rk BitLockerRecoveryKey.txt
Help text for the manage-bde command.
C:\WINDOWS\system32>manage-bde /?
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
manage-bde[.exe] -parameter [arguments]
Description:
Configures BitLocker Drive Encryption on disk volumes.
Parameter List:
-status Provides information about BitLocker-capable volumes.
-on Encrypts the volume and turns BitLocker protection on.
-off Decrypts the volume and turns BitLocker protection off.
-pause Pauses encryption, decryption, or free space wipe.
-resume Resumes encryption, decryption, or free space wipe.
-lock Prevents access to BitLocker-encrypted data.
-unlock Allows access to BitLocker-encrypted data.
-autounlock Manages automatic unlocking of data volumes.
-protectors Manages protection methods for the encryption key.
-SetIdentifier or -si
Configures the identification field for a volume.
-ForceRecovery or -fr
Forces a BitLocker-protected OS to recover on restarts.
-changepassword
Modifies password for a data volume.
-changepin Modifies PIN for a volume.
-changekey Modifies startup key for a volume.
-KeyPackage or -kp
Generates a key package for a volume.
-upgrade Upgrades the BitLocker version.
-WipeFreeSpace or -w
Wipes the free space on the volume.
-ComputerName or -cn
Runs on another computer. Examples: "ComputerX", "127.0.0.1"
-? or /? Displays brief help. Example: "-ParameterSet -?"
-Help or -h Displays complete help. Example: "-ParameterSet -h"
Examples:
manage-bde -status
manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
manage-bde -unlock E: -RecoveryKey F:\84E151C1...7A62067A512.bek
HI Steve
All wonderful, the screen resolution is also right.
But I don't find my system partition, even in the Explorer, see photo.
Best regards,
wisch
wisch, what type of drive is used for your system partition and what connection type?
If the drive is perhaps NVMe M.2 SSD that is using RAID, then you would need to add this to the rescue media too via the option to inject custom drivers such as the Intel RST for RAID.
This is assuming that you have been successful in using manage-bde to unlock the BitLocker encryption for the drive?
HI Steve
I'm going to sleep now. I'm tired, although the MVP tool is excellent! When does the batch file need to run, before or after booting with the boat medium?
Yes, it is an NVMe M.2 SSD and in the bios is set raid on (original on Dell), but no raid configured.
Can we go on tomorrow and would you be ready for it?
Good night and sleep well,
wisch
When does the batch file need to run, before or after booting with the boat medium?
Yes, it is an NVMe M.2 SSD and in the bios is set raid on (original on Dell), but no raid configured.
The batch file is run after booting to the WinPE environment.
NVMe M.2 SSD drives use RAID for better performance, so you need to have the Intel RST drivers injected into the MVP rescue media. This is RAID with a single drive, so not a RAID array.
Getting late here in the UK too but will be the afternoon tomorrow before I am back as have things to do in the morning.
I copied these drivers (see photo file-25) in (see photo file-26).
Unfortunately, I still can't see my system partition. Am I doing something wrong?
Until this afternoon.
Correction:
I took the drivers from the Dell Driver Cab and also the network drivers.
And that looks like now, see photos
Still, the stream file doesn't work, but I can now see drive and D.
Edit: I meant batchfile, sorry.
wisch, I only see .sys files for your drivers in the images, but no .inf files that are also needed?
You may be better to use the option to include drivers from your computer when you see the prompt as below on running the MVP tool.
::=============================================================:: :: Would you like to inject drivers from THIS Windows system :: :: into your Acronis WinPE? :: :: :: :: You should select "Yes" if you plan to specify a screen :: :: resolution later in this script and have a dedicated :: :: NVIDIA or AMD graphics card. :: :: :: :: You should select "Yes" if you were previously presented :: :: with the option to include WiFi support and chose to do so. :: :: :: :: This process may take some time the first run since it must :: :: initially scan the system and extract the local drivers. :: :: After that, if building custom Acronis WinPE from the same :: :: PC, the extracted drivers will already be saved and :: :: available for the injection process. :: :: :: ::=============================================================:: :: :: :: [1.] Yes :: :: [2.] No :: :: :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 1
We have overused ourselves
Edit: That's how I did it!
Edit 2: Should be our say we have crossed paths. Please excuse my bad English
HI Steve,
I gave it my all and am now exhausted and frustrated :-(
I have recreated the boot medium at least 10 times.
I got the raid drivers from Dell and integrated them.
I tried the batch file in all sorts of variants, always to no avail.
I couldn't access C!
That's why I disabled the bitlocker and then everything went quite normally and I could see the partitions and access them. This means that the right drivers are implemented (?).
Something is not playing along!
What else can I do?
Best regards,
wisch
wisch wrote: That's why I disabled the bitlocker and then everything went quite normally and I could see the partitions and access them. This means that the right drivers are implemented (?).
Ok, so now you have a working USB Acronis rescue media stick that can see your NVMe drive and the remaining issue is to get it to be able to unlock the drive when BitLocker is enabled.
I would suggest testing the BitLocker issue by encrypting a spare USB external drive and get it working with that first from the USB rescue media, after which you should be able to adopt the same approach with your main OS drive encrypted too.
HI Steve
But I've already tried everything and I'm at a loss. I don't see any possibility at the moment.
Still, I'll try your proposal, maybe a solution will emerge in the process (?). But not again today, because I have to work in between :-).
Best regards and sleep well,
wisch
wisch, I am just encrypting one of my external drives using BitLocker to be able to retest this with my own USB rescue media. This will be using BitLocker To Go for external drives but worked for me previously.
Ok, was able to test with BitLocker on my encrypted USB external drive from the WinPE boot media.
For some reason, BitLocker doesn't want to like using a recovery key file for me, so need to adopt a slightly different approach for the unlock batch file.
So the batch file now looks like below:
rem Unlock BitLocker protected drive from WinPE manage-bde -unlock L: -rp 629178-******-******-******-******-******-******-355575
Where the long set of numbers are the recovery key copied from the file created from the BitLocker control panel for the encrypted drive to 'Backup your recovery key'.
When booted from the rescue media, you will first need to correctly identify the drive which is encrypted, which you can do by using another manage-bde command.
D:\>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [E-Backup]
[Data Volume]
Size: 147.03 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume L: [Label Unknown]
[Data Volume]
Size: Unknown GB
BitLocker Version: 2.0
Conversion Status: Unknown
Percentage Encrypted: Unknown%
Encryption Method: AES 128
Protection Status: Unknown
Lock Status: Locked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
Password
Numerical Password
External Key
Volume K: [Windows10old]
[Data Volume]
Size: 73.00 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None FoundThe above output from the -status command shows that my encrypted drive is L: so I was then able to unlock this after making sure that the batch file was set to point to drive L:
D:\>manage-bde -unlock L: -rp 629178-******-******-******-******-******-******-355575
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
The password successfully unlocked volume L:.
D:\>manage-bde -status L:
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume L: [Toshiba]
[Data Volume]
Size: 184.17 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors:
Password
Numerical Password
External KeyA new status check now shows the correct BitLocker encryption status for drive L:
Note: You can check these commands from Windows by opening an Administrator level command prompt and running them, but to unlock or lock the drive, you first need to turn off auto-unlock in the control panel.
Hi Steve
I think we are approaching the solution!
My external hard drive with 2 TB and USB 3.0 is still encrypting. It goes agonisingly slow. That's why I can't test at the moment.
But a question before:
Don't you have to specify the path to the Recovery Key, nor does you have to specify an extension?
The way you've done it now, I haven't tried yet. But otherwise in all sorts of variations. One of the proposals mentions * .bek and in your earlier proposal * .txt.
What exactly needs to be in addition to the batch file on the boot medium?
Edit: I've just got a snip attached by the power shell.
Best regards,
wisch
wisch, I have tried with many variations and the only way I could succeed was by using manage-bde -unlock L: -rp with the actual numeric key string.
HI Steve
Just come back from an event. The encryption of my external drive is always running and is now at 87%. Strange slow!
Tomorrow I will try your suggestion. What does rp actually stand for, because this command is not listed at all? At least not on my W10 per for Workstation.
I attach a snip to you.
Best regards,
wisch
Wisch, see below.
D:\>manage-bde -unlock /?
BitLocker Drive Encryption: Configuration Tool version 10.0.17763
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
manage-bde -unlock Volume
{[{-RecoveryPassword| -rp} NumericalPassword] |
[{-RecoveryKey|-rk} PathToExternalKeyFile]}
[{-Certificate|-cert} {-cf PathToCertificateFile|
-ct CertificateThumbprint} {-pin}]
[{-Password|-pw}]
[{-ADAccountOrGroup|-sid} [{SID|domain\user|domain\group}]
[{-ComputerName|-cn} ComputerName]
[{-?|/?}] [{-Help|-h}]
Description:
Allows access to BitLocker-encrypted data with a recovery password,
recovery key, certificate, or password.
Parameter List:
Volume A drive letter followed by a colon, a volume GUID path or
a mounted volume. Example: "C:",
\\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or
"C:\MountVolume"
-RecoveryPassword or -rp
Provide a recovery password to unlock the volume.
-RecoveryKey or -rk
Provide an external key file to unlock the volume.
-Certificate or -cert
Query the local user certificate store for a BitLocker
certificate to unlock the volume.
-Password or -pw
Prompt for a password to unlock the volume.
-ADAccountOrGroup or -sid
Attempt to unlock the volume using a SID-based Identity
protector.
-ComputerName or -cn
Runs on another computer. Examples: "ComputerX", "127.0.0.1"
-? or /? Displays brief help. Example: "-ParameterSet -?"
-Help or -h Displays complete help. Example: "-ParameterSet -h"
Examples:
manage-bde -unlock -?
manage-bde -unlock e: -RecoveryPassword ...
manage-bde -unlock e: -RecoveryKey "f:\File Folder\Filename"
manage-bde -unlock e: -Certificate -cf "c:\File Folder\Filename.cer"
manage-bde -unlock e: -pw
manage-bde -unlock e: -sid
HI Steve
Ok, ok, understood :-). Thank you very much!
Best regards,
wisch
So, dear Steve
It worked with the external drive. Hallelujah:-):-):-).
Now I'm going to decrypt this drive and then encrypt my system drive again and try it with it.
By the way, your tool is really awesome when everything is set right.
Best regards,
wisch
Dear Steve
Hurrah, it goes. You helped me a lot!!!
Thank you very, very much for your patience with me and for your perseverance.
In hindsight, everything is quite simple. But the road to get there was pretty arduous for me.
So, thank you again and all the love and good for the upcoming Christmas.
Have it good and best regards,
wisch
wisch, that is good news to hear - well done for also persevering with getting this to work.
I have been playing some more on my own computer and have added Powershell support to my MVP rescue media and can use a PS script to unlock my BitLocker drive by typing in my password instead of storing the key on the media. I would be happy to share with you if you want to have a go at doing the same?
Thank you for the Christmas wishes, I would return the same to you & your family, hoping that you have a wonderful and relaxing time at this joyful season.
Sorry, I forgot something else.
Creating a USB stick doesn't work. That's why I used the ISO file with the help of RUFUS.
Once again all good wishes for Christmas for you and your loved ones.
Best regards,
wisch
Acronis Links : Acronis Scheduler Manager : Acronis VSS Doctor : Backup Archive Compatibility : Cleanup Tool (All versions) : Cloning Disks : Contact Acronis Support : Difference between Backup and Disk Clone : Repair program / settings
MVP Assistant (Log Viewer) latest version see pinned topic in ACPHO forum page.
Acronis True Image User Guides available from Product Documentation page.
imTranslator for quick translation of language posts.
Please do NOT send private messages about urgent issues - open a forum topic instead where you will get a quicker response!!