Skip to main content

Wieder mal Bitlocker

Thread solved
Regular Poster
Posts: 21
Comments: 189

Hallo zusammen,

ich habe einen neuen Laptop eingerichtet und die NVMe's mit Bitlocker verschlüsselt.
Dann habe ich den seinerzeit mit Steve und Paul aufgebauten USB-Stick entsprechend mit den neuen Keys aktualisiert.
Aber jetzt stelle ich fest, dass meine Datenträger gar nicht erkannt werden, siehe Snipp:

grafik 9

Habt ihr eine Idee dazu?

Beste Grüße,

0 Users found this helpful
Regular Poster
Posts: 21
Comments: 189

Und die unlocker.dat sieht so aus:

rem Unlock BitLocker protected drive from WinPE

@ Echo Off

manage-bde -status

pause

rem SET / P BLdrive =C:

rem manage-bde -unlock C: -pw

manage-bde -unlock C: -RecoveryPassword ####################################################

pause

manage-bde -unlock D: -RecoveryPassword ####################################################

pause

manage-bde -unlock O: -RecoveryPassword ######################

Forum Hero
Posts: 79
Comments: 7213

Hallo wisch,

Ich würde MVP Mustang fragen.

Regular Poster
Posts: 21
Comments: 189

Hello Paul,
hello Steve,

do you have any ideas about this? On the running system this command works!

grafik 10

Best regards,
wisch

Forum Star
Posts: 55
Comments: 1948

If I read the PowerShell output properly, it says the drives are unlocked. What exactly is the problem? Can you read the dives with the A43 File Manager utility? I take it True Image doesn't see the backups on the Data drive.

Maybe the problem is related to the TPM. I've never tried True Image with BitLocker and a TPM enabled. I'll give it a try in the next few days and see what happens.   

Regular Poster
Posts: 21
Comments: 189

Hello Paul,

we had put together the WinPE-based Media Builder with Steve at the time. It was a bit of a hassle, but then it worked out.
Also at that time the Bitlocker was active with the TPM, but on a different laptop.

Forum Star
Posts: 55
Comments: 1948

I turned on BitLocker on a system with a TPM enabled. I wasn't even able to get the disk to unlock using manage-bde.exe and a Recovery Key in the recovery media. I'm sorry I won't be able to help you at all.

Regular Poster
Posts: 21
Comments: 189

But it has worked before. What has changed in the meantime that could be responsible for this?

Regular Poster
Posts: 21
Comments: 189

Ok, I have a new laptop with more recent hardware.

Forum Star
Posts: 55
Comments: 1948

I got it working.

When I enabled BitLocker I chose to unlock it with a PIN and chose to save the Recovery Key to a file. The file is a txt file and editing it shows a Recovery Key that looks like:

xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

When I booted the rescue media, I used a command window and entered:

manage-bde D: -unlock -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

This successfully unlocked the D: drive. ACPHO was then able to see the tib files on D: drive.

Regular Poster
Posts: 21
Comments: 189

Hello Paul,

so the recovery key with respective hyphen?
I just returned from a trip and will look into it tomorrow.

Good night,
wisch

Regular Poster
Posts: 21
Comments: 189

So it doesn't work for me, compared to my previous laptop, and I don't know why.

Questions:
Are you using the TMP?
Do you need to install the ADK and SDK, or do you only need them to create the rescue stick?

Forum Star
Posts: 55
Comments: 1948

The TPM is enabled.

You don't need to install the ADK or SDK. I used WinRE.

I have questions for you:

1. Can you read the drive containing the backup files with the A43 File Manager after the drives are unlocked? 

2. What files system is used on the drive with the backup files? Is it NTFS or ReFS?

Regular Poster
Posts: 21
Comments: 189

To Top 1.
Unfortunately I can't open the drive with manage-bde -unlock C: -RecoveryPassword.......... I have tried with different settings. I always get error code 0x80070057.

To Top 2.
NTFS

Forum Star
Posts: 55
Comments: 1948

Error code 0x80070057 may indicate there isn't enough space in the EFI System partition for BitLocker to work with.

1. What is the size of your FAT32 EFI System partition?

2. How much free space is there in that partition?

My system has 100MB FAT32 EFI System partition with 70MB of free space. 

Another possibility is that the error has something to do with the BitLocker auto-unlock feature. It looks like your system is set to auto-unlock. I had BitLocker set to unlock at boot time using a PIN.

Regular Poster
Posts: 21
Comments: 189

grafik 11

 

Forum Star
Posts: 55
Comments: 1948

I would suggest you download and install the trial version of Macrium Reflect. Build a rescue media. You will see a checkbox to add BitLocker support. Also check the box to automatically unlock the drives. Now boot the media and see if the BitLocker drives are unlocked. You can use the file explorer icon in the lower left corner to read the drives.

Macrium Reflect will store the recovery password and recovery key in the media. You will see them at X:\ after you boot the media. The recovery password is in the .txt file. The recovery key is the .BEK file. You can copy out the .BEK file and include it in the root of your MVP Tool media. The .BEK file can be used to unlock the drives as follows:

manage.bde C: -unlock -RecoveryKey "G:\xxxxxxxxxxxxxx.BEK" 

Where G: is the USB drive with the MVP Tool where you copied the .BEK file.

If none of that works, you have a problem with that laptop that I can't explain.

 

Regular Poster
Posts: 21
Comments: 189

I did so and copied the *.bek files to the MVP tool.
But unfortunately my drives are still not recognized 🤢 Too bad, because I was excited about your tool.

I think I will wait until W 11 and create another stick with your MVP tool.
If a "disaster" should occur in the meantime, I will delete my system partition, install Windows and then restore.
Is this an outlandish idea?

Edit:
I just started the rescue media from Macrium reflect again.
With manage.bde -status the data drive D: is shown, but not C:

My BIOS is set to Raid on, if that matters.

 

Forum Star
Posts: 55
Comments: 1948

Does the C: show in the Macrium GUI when you select the Backup tab? 

If you can see the C: in the Backup tab, it will tell you if it is locked or unlocked. When it is locked, you will see a label saying BitLocker locked. When it is unlocked, you will see an icon with a lock and key under the drive letter. When you hover the mouse over the icon, you will see a popup message saying BitLocker unlocked.

If you can't see the C: in the Backup tab, it means the RAID driver is wrong. Look at the Macrium rescue USB drive and you will see a folder named Drivers. Drill down and you should find the RAID driver. There could be a missing file. Open the inf file with notepad.exe and search for SourceDisksFiles. Under that heading you will see a list of all the needed files. Make sure they are all there. If any are missing copy them from your Windows system.

Once you have the Macrium media working to see the C: drive, replace the IRST folder in the Drivers_Custom\x64 folder of the MVP Tool with the RAID driver from the Macrium USB and rebuild the MVP Tool.

Regular Poster
Posts: 21
Comments: 189

C: is unfortunately not shown, only D:
And the drivers seem to be complete, don't they?

grafik 12

Edit: What do you think if I decrypt Bitlocker, clear TPM and re-encrypt Bitlocker?

Forum Star
Posts: 55
Comments: 1948

No, don't decrypt BitLocker, clear the TPM and re-encrypt BitLocker. That won't help at all.

It is certainly a driver issue. You can look at the log in the MVP Tool to see if the driver was successfully installed. Please check past logs to see if the IRST driver was successfully installed.

EDIT:

Your driver does look complete. If the MVP log shows the driver was successfully installed, you could try just decrypting BitLocker and then booting the MVP Tool to see if the drive shows up.

Regular Poster
Posts: 21
Comments: 189

I am not sure if I have understood correctly.
The snippets above are from Macrium.

Where should I make the change, Macrium or MVP Tool?

Forum Star
Posts: 55
Comments: 1948

I mean take the driver from the Macrium media and put it in the \Drivers_Custom\x64\IRST folder. Then build the MVP media and check the log to see if the driver was successfully installed.

Regular Poster
Posts: 21
Comments: 189

Good morning Paul

Do you happen to know what the RAID driver is called?

Forum Star
Posts: 55
Comments: 1948

The RAID driver is the one you showed in the screenshots above. The inf file is iaStorVD.inf.

 

Forum Star
Posts: 55
Comments: 1948

Gateway timeout problem.

 

Forum Star
Posts: 55
Comments: 1948

Gateway timeout problem.

 

Regular Poster
Posts: 21
Comments: 189

So that there is no misunderstanding:
In my screenshot you can see Macrium on the left and MVP Tool on the right.
I replaced the drivers and tried to create a new stick - aborted.
Then put the drivers back and tried to create a new stick - aborted.
I tried this several times with ADK and with WinRe, always aborts on system scan.

Then I tried it again with your v190. It also aborts during the system scan.

Do you have any idea about this?

Edit: Your MVP tool does not like my machine 😊

Forum Star
Posts: 55
Comments: 1948

Try setting the Windows system language to US-English.

Regular Poster
Posts: 21
Comments: 189

I have changed the language to US English. And now I am already one step further.
But here the script does not react on 1. and also not on 2.

grafik 13

But at the beginning I chose ADK

 

Forum Star
Posts: 55
Comments: 1948

Does the file exist at that exact location. Help me out here. I can't keep guessing as to what your system says. When the ADK installed with the system set to German, did it install with a different folder name?

Regular Poster
Posts: 21
Comments: 189

I decrypted my drives and reset the TPM to factory default to rule out that my problem is related.
And right now the rekey is running.

Here is another photo that may give a clue.

grafik 14

Forum Star
Posts: 55
Comments: 1948

You have too many problems going on at once. We need a more sensible plan.

1. The problems with the MVP media are all related to the German language issue. Let's forget about the MVP media for now.

2. Keep the system set to English and keep BitLocker disabled. You need a bootable recovery media that is able to see all your drives. Let's create an Acronis recovery media using the Simple method. This will produce a WinRE media. Make sure you add the RAID (iaStorVD) driver during the creation of the media. Boot it and see if all your drives are visible with BitLocker disabled. This will tell us the driver issues are solved.

3. Re-enable BitLocker. Then boot the Acronis recovery media and see if you can unlock the BitLocker drives. Then see if True Image can see all the drives.

4. If all the above is working, keep the system set to English. Then make an MVP media with the build from WinRE option. Boot it and try to unlock the BitLocker drives. Then see if True Image sees all the drives.

5. If 4. works, uninstall the ADK. Then re-install the ADK with the system set to English. Then try to make an MVP media with the build from ADK option. 

Regular Poster
Posts: 21
Comments: 189

Good morning Paul,

Before I get started, one more note.
My new laptop has very recent hardware.
For example, 4th generation NVMe.
Does that matter?

Regular Poster
Posts: 21
Comments: 189

Top 3 worked and I could see the drives with manage-bde -status.
And now the encryption is running.

Regular Poster
Posts: 21
Comments: 189

Top 4. ok.
I have tried it first with C:, because the verschluesseln takes too long.

grafik 16
And now de- and reinstall ADK.

Regular Poster
Posts: 21
Comments: 189

I was able to create the USB stick with the MVP tool without any problems.
Only unfortunately I can not boot with it.

grafik 19

grafik 21

Now I'm going to vote, because today is the federal election in Germany.

Regular Poster
Posts: 21
Comments: 189

grafik 23

This is what it looks like after I copied the IRST folder and replaced the contents in the original RST with the raid driver from my system.

Forum Star
Posts: 55
Comments: 1948

Okay, good progress.

Did you try to boot the new MVP media in UEFI mode?

You need to find out where IntelTA.sys is coming from in your Windows system. Look in Device Manager under Storage controllers. Select each controller listed and look at Properties/Driver tab/Driver Details button. Find the IntelTA.sys. You may also need to look at SATA IDE/AHCI controllers under Device Manager.

When you fine the device that used IntelTA.sys, click on the Details tab in Device Manager. Click the drop down arrow for the Properties box. Select inf name. Find the inf file in the Windows\inf folder. Open the inf file with notepad.exe and search for SourceDisksFiles. Copy down the list of files needed. Create a new folder in the MVP Drivers_Custom/x64 folder. Put the inf file and all the needed files in that folder. Rebuild the MVP media and try to boot it. 

Forum Star
Posts: 55
Comments: 1948

Did you by any chance select to install System Drivers when you built the MVP media? If you did, please build again and select No for adding System drivers.

Regular Poster
Posts: 21
Comments: 189

Hi Paul

I have not yet found out which device needs the IntelTA.sys driver.

But I created a new stick without adding the system drivers and was able to boot with it. But unfortunately the command manage.bde -status is not recognized.

 

Edit:
Do I still need English as a language in the system?
Because I always get confused because of special characters in my passport words.

Edit 2:
I have now found out where to find the driver in the device manager - my fingers glow 😒

Tigerlake Telemetry Aggregator Driver

grafik 26

 

 

 

Forum Star
Posts: 55
Comments: 1948

Okay, the system drivers caused the IntelTA.sys problem. It was not needed by any device.

Did you say yes during the build to the add BitLocker support question? This adds optional WinPE packages to the build to support BitLocker.

You will need to have the system set to English to build with the MVP Tool. You can go back to German after the build. Can't you set the system to English and add a German keyboard?

Regular Poster
Posts: 21
Comments: 189

grafik 27

It does not want 🤢

So, once again in order:

1. C: is encrypted with Bitlocker
2. ADK is english
3. system language is english
4. keyboard is german
5. i use the MVP Tool v190
6. i have replaced the original drivers in the IRST folder with my raid drivers
7. no system drivers added when creating the USB stick
8. set to english language
9. set Bitlocker to 1 (yes)

What else do you suggest? Should I add the system drivers and add the Intel(R) Tigerlake Telemetry Aggregator Driver?
 

[SourceDisksFiles]
IntelTA.sys = 1,,

If so, please be so kind and explain it to me a bit more. In the *inf file there is a corresponding section, as you mentioned above.

Forum Star
Posts: 55
Comments: 1948

Manage-bde is now recognized. Open the A43 File Manager and post a screenshot. Can you see the drives? If BitLocker is locked, the drives will show in A43 with a drive letter. When you select the drive it will not show any contents. After the drive is unlocked with manage-bde, the contents will show.

Regular Poster
Posts: 21
Comments: 189

Here you go, if I understood you correctly:

grafik 15

I hope you can get the information you want from it, is a bit weak.

Edit:

grafik 17

grafik 18

It's better that way

 

Regular Poster
Posts: 21
Comments: 189

This is how I created the Recue Stick:

grafik 20

Forum Star
Posts: 55
Comments: 1948

That is what I needed to see. It is clear none of your drives are seen because the drivers for the storage controllers are not working! WinPE C: is the USB drive you are booting from. 

You need to go back to Device Manager and figure out what drivers the storage controllers are using and add them to the MVP build.

Regular Poster
Posts: 21
Comments: 189

I have now added the system drivers on a trial basis and created a new stick. We had this before.

grafik 22

I have identified the driver and the *.inf file. Could you please explain how I can add the driver to the MVP tool?
Does my thought process make any sense at all?

Forum Star
Posts: 55
Comments: 1948

No, don't add the IntelTA.inf driver. It makes more sense to delete it from the system drivers. Search the Drivers_Extracted folder for IntelTA.sys and IntelTA.inf. Just delete the service when you find it. You should also delete the Display folder. The new display drivers won't work in WinPE. 

Regular Poster
Posts: 21
Comments: 189

I deleted the drivers as you suggested and created a new rescue stick.
And with that I was able to boot, but unfortunately the drives are still not visible.

grafik 29

grafik 30

Forum Star
Posts: 55
Comments: 1948

So even adding the system drivers didn't get driver support for your disks.

Show me a screenshot of Device Manager with the Storage controllers section opened. I need to see the controllers.