In this Article, I will show you how you can add Bitlocker Support to WinPE 10. After implementing this, you are able to manage Bitlocker using manage-bde command within WinPE.
Sometimes it is quite useful to be able to unlock a Bitlocker encrypted Drive within WinPE. This is necessary if the user is unable to boot the installed OS and has local Data on the encrypted Drive.
There are some other methods to get the local Data on the drive – for example, you can dismount the Harddisk and connect the encrypted Harddisk to another Computer using a USB – Cable. Then you are asked to provide the Bitlocker Recovery Key.
But sometimes this is not possible especially when a User is in a branch office where no IT Admin can help the User to dismount the Harddisk and plug it into another computer. Then this article would be helpful.
Optional but in most cases not necessary: You could extend this method to run a Script within WinPE to request the Bitlocker Recovery Key from your MBAM (Microsoft Bitlocker Administration and Monitoring) Server and unlock the Harddisk using a Web Service.
I think this is also a very good way, but I unlocking a Harddisk is normally not a daily task - so it is not necessary to automate it that high.
- Deployment Solution 8.5 (should also work with 8.0 and 8.1)
- Installed Network Boot Service (NBS)
- WinPE10 as a Preboot Environment (should also work with WinPE 4.0 and WinPE 5.x)
- On your SMP Server, create a Backup of a file called default.bdc. You can find this file in the folder <Install Drive >Program Files\Altiris\Deployment\BDC\bootwiz
- Edit the original default.bdc File using Notepad and add the following to Lines into the [PACKAGES] Section
Your file should look like this:
3. On your SMP Server, create a Backup of a file called WinPE10x64.ini. You can find this file in the folder:
<Install Drive >Program Files\Altiris \Deployment\BDC\bootwiz\Platforms
4. Edit the original WinPE10x64.ini File and scroll down to the Section [PACKAGE MAPPING] and add the following to Lines to the Section
Optional: The same steps need to be done for WinPE10x86.ini File if you want to add Bitlocker support for WinPEx86.
This will add the WinPE-Securestartup and the appropriate Languagepack. If you only add WINPE-SECURESTARTUP managing Bitocker with manage-bde.exe command will not work!!!
Curious why we are using YYY and ZZZ? Here is the explanation:
WINPE-SECURESTARTUP requires WINPE-WMI if you are trying to add WINPE-Securestartup before WINPE-WMI it will fail. So to make sure WINPE-WMI is already added to the WINPE Bootfile we have to use the alphabet to accomplish this. So (WINPE-)WMI will be added to the Bootfile before YYY and ZZZ (which are the short names for WINPE-Securestartup and WINPE-Securestartup_EN-US).
Manage-bde.exe command is included in the WINPE-Securestartup.cab File. You can find these Files on the SMP Server in a Folder called:
<Install Drive>\Program Files\Altiris\Deployment\BDC\waik_winpe10\Tools\PETools\amd64\WinPE_FPs
Go to the folder en-us and copy the File called: WINPE-Securestatup_EN-US.cab to D:\Program Files\Altiris\Deployment\BDC\waik_winpe10\Tools\PETools\amd64\WinPE_FPs
Take a look at the screenshot above.
After you have finished all the steps in this article, you can recreate your Preboot Environment within the SMP Console or create a new one for example with the name: WinPE10_with_Bitlocker_support. If you want, you can revert all the changes.
Make sure that if you recreate your Preboot Environemnt and you have reverted all the changes your Preboot Environment will not be able to support Bitlocker.
To enable logging for Bootwiz follow this link: https://www.symantec.com/docs/HOWTO84000
If something goes wrong, look at the Log (Dism.log)
The Dism Log is also very useful you can find it in: C:\windows\Logs\Dism\dism.log
What I wish from Symantec for the Future of the Product
Please allow a selection of packages when you are creating a new Preboot Environment like this is currently available when you manually run Bootwiz.exe
If you run Bootwiz manually, you will see a list of additional Components to install.
When creating new Preboot Environments allow the selection of possible WinPE Add-ons – this is far easier then modifying *.ini Files!!!