Windows 10 Recovery Environment Bitlocker

Posted on by
Windows 10 Recovery Environment Bitlocker Rating: 6,2/10 1459 votes

This tutorial contains instructions on how to disable the BitLocker protection and to decrypt a BitLocker encrypted drive in the Windows Recovery Environment. The instructions can be useful, if your computer is BitLocker-protected and doesn't accept the Bitlocker recovery key or the BitLocker password at system startup and you cannot unlock the BitLocker protected drive.

When looking into this, I found out that this was caused by the fact that the setup program of Windows 10 Version 1803 did not setup the Windows Recovery Environment properly. To be more specific, with 499MB, the partition created by the setup program was simply too small to fit the current version of Windows Recovery Environment. BitLocker is an encryption feature built into computers running Windows 10 Pro—if you’re running Windows 10 Home you will not be able to use BitLocker. BitLocker creates a secure environment for your data while requiring zero extra effort on your part. In fact, once it’s setup, you might even forget that it’s there and working! “Will the Windows Recovery Environment still be present on my Operating System Drive, or will I have to use my Windows 7 DVD to access it?” If you have applied the bitlocker on the hard disk, then you will be able to access the Windows Recovery environment using Windows 7 installation disk, from where we can only access Memory diagnostic. Apr 04, 2018  Notice the following differences between the status command in Windows and from the Windows 10 Recovery Environment: In Windows Reports that BitLocker is Off and that C: is the OS volume. In Windows RE Reports that BitLocker is On and that C: is a Data volume. From there, I issued a manage-bde -off c: command and it completed successfully.

How to Remove BitLocker Protection & Decrypt BitLocker Encrypted Drive in Windows Recovery Environment (WinRE).

Requirements:
A.A Windows 10 Installation Media (USB or DVD). If you don't own a Windows Installation Media then you can create one by using Microsoft's Media Creation tool.

B. The BitLocker Recovery key or the BitLocker Password: In order to turn off the Bitlocker protection, you must have the Bitlocker password or the Bitlocker Recovery Key in order to unlock the drive first and then to decrypt the drive. *

* Note: If you don't have the BitLocker recovery key, there is no way to bypass the BitLocker protection. If a disk is BitLocker protected and you don't have the BitLocker Recovery Key or the password to unlock the drive, then the only option you have (in order to use the drive again), is to fully erase the drive by using the instructions in this article: How to Remove BitLocker Protection from a Drive Without the BitLocker Recovery key or Password.

The Bitlocker recovery key is a 48-digit number and can be found at the following locations:

  • On a printout you saved, when you enabled Bitlocker.
  • On a USB drive you used, during the Bitlocker activation to save the Bitlocker recover key.
  • At the Microsoft Account Recovery Keys, by using the MS account you using to login to your device, or you have added to the device in order to download apps from Microsoft Store, or to activate MS Office or for email.
  • On your Azure Account for work PC's that login with an Azure Active Directory account.

Once you find the BitLocker recovery key or the ΒitLocker password, then proceed to unlock the Bitlocker encrypted drive and to remove the Bitlocker encryption in WinRE, by following the instructions below.

To unlock and decrypt the operating system drive C: from the WinRE:

1. Boot your system from the Windows 10 installation media.
2. At the below screen press the SHIFT + F10 keys to launch command prompt. (or press Next > Repair My Computer > Troubleshoot > Command Prompt). *

* Note: If you prompted for the recovery key, click SKIP this drive.

3. At command prompt, type the following command to view the drive letter of the encrypted drive:

  • manage-bde -status

4. Then proceed to unlock the encrypted drive, by using the following command, according your case:

Case A. If you know the BitLocker recovery key, give this command:

  • manage-bde -unlock drive-letter: -rp BitLocker-recovery-key​

* e.g.: If you want to unlock the drive 'D:' and the bitlocker recovery key is: '123456-123456-123456-123456-123456-123456' then type:

    • manage-bde -unlock D: -rp 123456-123456-123456-123456-123456-123456

Windows 10 Recovery Environment Bitlocker Download

Case B. If you know the BitLocker password to unlock the drive, give this command:

  • manage-bde -unlock drive-letter: -pw BitLocker-Password

* e.g.: If you want to unlock the drive 'D:' and the BitLocker password is: '123qwerty' then type: *

    • manage-bde -unlock D: -password 123qwerty

5. Then proceed to decrypt the drive and turn off the BitLocker protection with this command:

  • manage-bde -off drive-letter:

* e.g.: If you want to decrypt the drive 'D:', type:

    • manage-bde –off D:

6. The decryption process with start. To check the decryption status type again the following command and ensure that the drive is Fully Decrypted and Unlocked:

  • manage-bde -status
Windows 10 Recovery Environment Bitlocker

7. When you done, remove the Windows installation media and restart the computer. *

* Note: If Windows cannot start, then attach the drive to another computer and backup your personal data to another media. Then diagnose the drive for problems and if it is OK, put the disk back on the computer and perform a clean Windows 10 installation.

Windows 10 Recovery Disk Download

That's all folks! Did it work for you?
Please leave a comment in the comment section below or even better: like and share this blog post in the social networks to help spread the word about this problem.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue fighting spam while keeping this site free:
-->

Windows Recovery Environment (WinRE) is a recovery environment that can repair common causes of unbootable operating systems. WinRE is based on Windows Preinstallation Environment (Windows PE), and can be customized with additional drivers, languages, Windows PE Optional Components, and other troubleshooting and diagnostic tools. By default, WinRE is preloaded into the Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 installations.

What's new with WinRE for Windows 10?

  • By default, if you install Windows using media created from Windows Imaging and Configuration Designer (ICD), you'll get a dedicated WinRE tools partition on both UEFI and BIOS-based devices, located immediately after the Windows partition. This allows Windows to replace and resize the partition as needed. (If you install Windows by using Windows Setup, you'll get the same partition layout that you did in Windows 8.1.)
  • If you add a custom tool to the WinRE boot options menu, it can only use optional components that are already in the default WinRE tools. For example, if you have a app from Windows 8 that depended on the .NET optional components, you'll need to rewrite the app for Windows 10.
  • If you add a custom tool to the WinRE boot options menu, it must be placed in the SourcesRecoveryTools folder so that it can continue to work after future WinRE upgrades.
  • When adding languages to the push-button reset tools, you'll now need to add the WinPE-HTA optional component.

Tools

WinRE includes these tools:

  • Automatic repair and other troubleshooting tools. For more info, see Windows RE Troubleshooting Features.
  • Push-button reset (Windows 10 for desktop editions , Windows 8.1 and Windows 8 only). This tool enables your users to repair their own PCs quickly while preserving their data and important customizations, without having to back up data in advance. For more info, see Push-Button Reset Overview.
  • System image recovery (Windows Server 2016, Windows Server 2012 R2 and Windows Server 2012 only). This tool restores the entire hard drive. For more info, see Recover the Operating System or Full Server.

In addition, you can create your own custom recovery solution by using the Windows Imaging API, or by using the Deployment Image Servicing and Management (DISM) API.

Entry points into WinRE

Your users can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:

  • From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
  • In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
  • Boot to recovery media.
  • Use a hardware recovery button (or button combination) configured by the OEM.

After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. If your users select a WinRE feature from this menu, the PC restarts into WinRE and the selected feature is launched.

WinRE starts automatically after detecting the following issues:

  • Two consecutive failed attempts to start Windows.
  • Two consecutive unexpected shutdowns that occur within two minutes of boot completion.
  • Two consecutive system reboots within two minutes of boot completion.
  • A Secure Boot error (except for issues related to Bootmgr.efi).
  • A BitLocker error on touch-only devices.

Boot options menu

This menu enables your users to perform these actions:

  • Start recovery, troubleshooting, and diagnostic tools.
  • Boot from a device (UEFI only).
  • Access the Firmware menu (UEFI only).
  • Choose which operating system to boot, if multiple operating systems are installed on the PC.

Note

You can add one custom tool to the Boot options menu. Otherwise, these menus can't be further customized. For more info, see Add a Custom Tool to the Windows RE Boot Options Menu.

Security considerations

When working with WinRE, be aware of these security considerations:

  • If users open the Boot options menu from Windows and select a WinRE tool, they must provide the user name and password of a local user account with administrator rights.
  • By default, networking is disabled in WinRE. You can turn on networking when you need it. For better security, disable networking when you don't need connectivity.

Customizing WinRE

You can customize WinRE by adding packages (Windows PE Optional Components), languages, drivers, and custom diagnostic or troubleshooting tools. The base WinRE image includes these Windows PE Optional Components:

  • Microsoft-Windows-Foundation-Package
  • WinPE-EnhancedStorage
  • WinPE-Rejuv
  • WinPE-Scripting
  • WinPE-SecureStartup
  • WinPE-Setup
  • WinPE-SRT
  • WinPE-WDS-Tools
  • WinPE-WMI
  • WinPE-StorageWMI-Package (added to the base image in Windows 8.1 and Windows Server 2012 R2)
  • WinPE-HTA (added to the base image in Windows 10)

Note The number of packages, languages, and drivers is limited by the amount of memory available on the PC. For performance reasons, minimize the number of languages, drivers, and tools that you add to the image.

Hard drive partitions

Bitlocker Recovery Key Windows 10

When you install Windows by using Windows Setup, WinRE is configured like this:

  1. During Windows Setup, Windows prepares the hard drive partitions to support WinRE.

  2. Windows initially places the WinRE image file (winre.wim) in the Windows partition, in the WindowsSystem32Recovery folder.

    Before delivering the PC to your customer, you can modify or replace the WinRE image file to include additional languages, drivers, or packages.

  3. During the specialize configuration pass, the WinRE image file is copied into the recovery tools partition, so that the device can boot to the recovery tools even if there's a problem with the Windows partition.

When you deploy Windows by applying images, you must manually configure the hard drive partitions. When WinRE is installed on a hard drive, the partition must be formatted as NTFS.

Add the baseline WinRE tools image (winre.wim) to a separate partition from the Windows and data partitions. This enables your users to use WinRE even if the Windows partition is encrypted with Windows BitLocker Drive Encryption. It also prevents your users from accidentally modifying or removing the WinRE tools.

Store the recovery tools in a dedicated partition, directly after the Windows partition. This way, if future updates require a larger recovery partition, Windows will be able to handle it more efficiently by adjusting the Windows and recovery partition sizes, rather than having to create a new recovery partition size while the old one remains in place.

To learn more, see Configure UEFI/GPT-Based Hard Drive Partitions or Configure BIOS/MBR-Based Hard Drive Partitions.

Memory requirements

In order to boot Windows RE directly from memory (also known as RAM disk boot), a contiguous portion of physical memory (RAM) which can hold the entire Windows RE image (winre.wim) must be available. To optimize memory use, manufacturers should ensure that their firmware reserves memory locations either at the beginning or at the end of the physical memory address space.

Updating the on-disk Windows Recovery Environment

In Windows 10, the on-disk copy of Windows RE can be serviced as part of rollup updates for the OS. Not all rollup updates will service Windows RE.

Unlike the normal OS update process, updates for Windows RE do not directly serviced the on-disk Windows RE image (winre.wim). Instead, a newer version of the Windows RE image replaces the existing one, with the following contents being injected or migrated into the new image:

  • Boot critical and input device drivers from the full OS environment are added to the new Windows RE image.
  • Windows RE customizations under SourcesRecovery of the mounted winre.wim are migrated to the new image.

The following contents from the existing Windows RE image are not migrated to the new image:

  • Drivers which are in the existing Windows RE image but not in the full OS environment
  • Windows PE optional components which are not part of the default Windows RE image
  • Language packs for Windows PE and optional components

The Windows RE update process makes every effort to reuse the existing Windows RE partition without any modification. However, in some rare situations where the new Windows RE image (along with the migrated/injected contents) does not fit in the existing Windows RE partition, the update process will behave as follows:

  • If the existing Windows RE partition is located immediately after the Windows partition, the Windows partition will be shrunk and space will be added to the Windows RE partition. The new Windows RE image will be installed onto the expanded Windows RE partition.
  • If the existing Windows RE partition is not located immediately after the Windows partition, the Windows partition will be shrunk and a new Windows RE partition will be created. The new Windows RE image will be installed onto this new Windows RE partition. The existing Windows RE partition will be orphaned.
  • If the existing Windows RE partition cannot be reused and the Windows partition cannot successfully be shrunk, the new Windows RE image will be installed onto the Windows partition. The existing Windows RE partition will be orphaned.

Important To ensure that your customizations continue to work after Windows RE has been updated, they must not depend on functionalities provided by Windows PE optional components which are not in the default Windows RE image (e.g. WinPE-NetFX). To facilitate development of Windows RE customizations, the WinPE-HTA optional component has been added to the default Windows RE image in Windows 10.

Note The new Windows RE image deployed as part of the rollup update contains language resources only for the system default language, even if the existing Windows RE image contains resources for multiple languages. On most PCs, the system default language is the language selected at the time of OOBE.

Known Issue

If the GPO 'Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Block Microsoft accounts' is set to enable the policy 'User can’t add or log with Microsoft account', attempting to restore the System in WinRE will fail with the error message 'You need to sign in as an administrator to continue, but there aren't any administrator accounts on this PC.'

This is a known issue and the workaround is to either avoid setting the 'Accounts: Block Microsoft accounts' to 'User can't add or log with Microsoft Account' or set the MDM policy Security/RecoveryEnvironmentAuthentication to 2.

See also

Windows 10 Recovery Environment Bitlocker

Content typeReferences

Deployment

Customize Windows RE Deploy Windows RE Drivers license creator free.

Operations

Troubleshooting

Add-on tools

Add a Custom Tool to the Windows RE Boot Options Menu Add a Hardware Recovery Button to Start Windows RE Push-Button Reset Overview