I recently had the need to unlock a Bitlocker encrypted drive using Windows PE. The operating system would no longer boot following Windows Updates and asked for the Bitlocker recovery key. Great except that the recovery key was stored on another partition on the same phyical drive and since I couldn’t boot Windows and it wasnt a conventional drive I couldn’t take the drive out and attach to another machine. I had to find another way to recover the key. The steps I took were:-

  1. Create a USB bootable drive (8GB Corsair Voyager Mini in my case)
  2. Download Windows ADK (1709) from https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
  3. Run elevated “Deployment and Imaging Tools Environment”
  4. Run copype.cmd amd64 c:\winpe_amd64 (you can easily create 32-bit media by changing “amd64” for “x86”)
  5. dism /mount-wim /wimfile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:c:\winpe_amd64\mount
  6. dism /image:c:\winpe_amd64\mount /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab”
  7. dism /image:c:\winpe_amd64\mount /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab”
  8. dism /image:c:\winpe_amd64\mount /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab”
  9. Copy C:\Windows\System32\en-US\manage-bde.exe.mui to C:\winpe_amd64\mount\Windows\System32\en-US
  10. At this point I tested manage-bde.exe works by opening a command prompt and navigating to C:\winpe_amd64\mount\Windows\System32. I then ran manage-bde.exe. It should give you the help information.
  11. dism /unmount-Wim /mountdir:c:\winpe_amd64\mount /commit
  12. robocopy c:\winpe_amd64\media\*.* /e <drive letter for USB bootable media i.e. J:\>
  13. Insert USB into device and boot.
  14. Run manage-bde -unlock <drive to unlock i.e. c:> -recoverypassword <recovery key>

Further reading:-

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/copype-command-line-options

7 Replies to “Unlock Bitlocker Drive Encryption with Windows PE”

  1. Hi Howard, thank you very much for posting the step-by-step. I’m in a similar situation you described.. drives are all Bitlocker’ed and I need to repair a system partition.

    In your Step 12, I see only a path and options. Have you possibly left out the command to run? I’m currently stuck at this point.

    Thanks for your consideration.

  2. Going through this process, I start to get errors at step 7. I’m using ADK version 1709. DISM version 10.0.16299.15, and image version 10.0.16299.15. The error I get (Error: 3) is saying the SecureStartup.cab file is not accessible. I’m not sure why this is the case, as step 6 worked. Any thoughts on troubleshooting? Thanks for providing this guide.

    1. I’m sure you have this sorted by now but for future readers with same issue; Instruction 7 should be:

      dism /image:c:\winpe_amd64\mount /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab”

      The filepath in the instructions missed WINPE in filename.

    1. Hi, good spot. Yes its missing a robocopy. Essentially we are copying the contents to an already bootable USB drive. I’ve corrected the article.

  3. draft saved
    community wiki

    Just open the “Windows kits”/”Deployment and Imaging Tools Environment” Command prompt (Run as Admin)

    Create a BuildWinPE.CMD with the content below and run it. It will even create an ISO:

    @echo Copies winpe env to C:\WinPE_x64\

    @Pause

    copype.cmd amd64 C:\WinPE_x64

    @echo Mounts winpe to C:\WinPE_x64\mount

    @Pause

    Dism /Mount-Image /ImageFile:”C:\WinPE_x64\media\sources\boot.wim” /Index:1 /MountDir:”C:\WinPE_x64\mount”

    @echo Install WMI, .NET, Bitlocker & TPM support

    @Pause

    Dism /Image:”C:\WinPE_x64\mount” /Add-Package /PackagePath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab”

    Dism /Image:”C:\WinPE_x64\mount” /Add-Package /PackagePath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-NetFx.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-NetFx_en-us.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-FMAPI.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-EnhancedStorage_en-us.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab”

    Dism /Image:”C:\WinPE_x64\mount” /add-package /packagepath:”C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab”

    @echo Continue when done

    @Pause

    dism /unmount-wim /mountdir:”C:\WinPE_x64\MOUNT” /commit

    MakeWinPEMedia /ISO /f C:\WinPE_x64 C:\WinPE_x64\WinPE_USMToffline.iso

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.