Macrium Recovery Media / BitLocker 'Save to USB Flash' (bkf) option is missing


RickyMoose

Member
Member
Local time
9:31 PM
Posts
18
OS
W11 Pro
Hi All,


First time using bitlocker and TPM (forced on me by work :mad:).
I have 2 Questions for you guys.
Macrium = v8.1.8017

Q1: 'Save to USB Flash' (bkf) option is missing


I am having the same problem as described here:


when trying to export the bitlocker key for use in Macrium, there is no option to "Save to a USB flash drive"
The only options are save to text file, asure or print.

I also read the information at:


but there seems no way to export the file into a format that Macrium can use.

Is there a way to export this via PowerShell or some way to enable it in Windows 11?
OR is there another format that can be used by Macrium?

I also just spun up a new vm of W11 PRO 23h2 as a test and even in the vm the "save to USB" option is missing so is this no longer an option for Macrium?
If that is the case then why is auto unlock still an option in RMBuilder?





Q2: Mounting a bitlocker image

Even without the "auto unlock" working from Q1, I went ahead and did a backup anyway using the recovery media and all worked as expected, however my question relates to when I try to map the image via the image browser. There does not seem to be a way to look at my data in the image since I have never prompted for the Bitlocker Recovery key. I get an error message Drive XX is not formatted.


1716145510593.png

1716145658117.png


Is this not an option when you are dealing with encrypted drive images and wanting to mount the image on a 2nd computer to browse for a few files to restore - is a full disk restore the only option here to get at the files?



Thanks
 
Windows Build/Version
w11 PRO 23h2

My Computer

System One

  • OS
    W11 Pro
First, when creating your Macrium Reflect recovery media, note that the advanced options have an option to save your BitLocker recovery key to the rescue media so that Macrium can automatically unlock your drive. It can also preserve BitLocker when restoring an image if you select this option. Just be sure to save the recovery disk to a safe place because the BitLocker key can easily be retrieved from the recovery disk if it is stolen.


Image1.jpg

As for saving the key from your local system, I'm not sure why you can't save it to a USB Flash Drive (UFD), but here is an easy workaraound:

1) When saving the key, choose the option to print the key.
2) Use the "Microsoft Print to PDF" printer.

This will allow you to save the PDF anywhere. including your local desktop, a thumbdrive, etc. I mention your local desktop because BitLocker won't let you save the key there normally unless you print the key. The thinking is that saving the key to the very drive that you plan to encrypt is worthless since you won't be able to get to the desktop if you cannot unlock the drive.

Again, just make sure to save the key someplace safe that you can get to if needed.

TIP: I have a label on the underside of my laptop with an encrypted version of my key. This way it is always accessible to me but doesn't help anyone else who sees it.

Example: Suppose that I have a part of my key of 12345. In my head I have a code to encrypt this and that code is 56789. I add the numbers, like this:

12345
56789
=====
68024

So, 68024 is the number I put on the label. I can easily reverse the process in my head by subtracting like this:

68024
56789
=====
12345

NOTE: When adding numbers, if the result is 10 or higher, simply drop the first digit. When subtracting, after 0, wrap back to 9, 8, 7, etc.

I wrote a small program for myself that automates all of this and creates a text document that save this information. If interested, let me know and I'll provide a copy.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Hey @hsehestedt ,

I should mention that the recovery of media was built on a different (non-bitlocker) machine and Macrium is not installed on the laptop at this time since it is a corporate machine and I plan to do cold backups until I/T can grant me rights to install it. For now I just wanted to be able to have some sort of a backup since I'm working remotely it would be difficult to re-image the box and I can just restore my own local backups as long as I can get all of this work reliably, but as I said Bitlocker is new to me so I'm having to learn as I go.


First, when creating your Macrium Reflect recovery media, note that the advanced options have an option to save your BitLocker recovery key to the rescue media so that Macrium can automatically unlock your drive.
I think what you are trying to say is that when you create media on a machine that has bitlocker and Macrium already installed that Macrium automatically injects the the recovery key onto the recovery media when those options are checked - Is that correct?

When I created the media on the second machine I did enable those two because I knew the target machine would be dealing with Bitlocker drives however not having used it before in this context I wasn't sure how bitlocker and Macrium work together and what the happy path for this process looks like.

I've searched youtube to see if I could find any videos that talk about backups that involve bitlocker with Macrium for a relevent example but came up empty.

Here are the settings I chose when making my backup media on the 2nd (non-bitlocker) machine:

1716155555427.png


As for exporting the key, I was able to save the text file and the PDF to the USB key with no issues so I had already figured out what you mentioned. For now I have a copy of the file on my cell phone so I have a recovery method that is not on the local machine. However if you've written something that does obfuscation then I wouldn't mind taking a look at it and maybe incorporating it into my workflow so thanks for the offer.

So the only thing I haven't figured out is how to export the key as a bkf per the Macrium kb article.
Since the save to USB doesn't work in a brand new vm I'm guessing that's either something that is deprecated but not updated in the kb article or there is something else you have to do in windows to enable that feature???


Also did you have any advice on trying to mount/read Individual files from the second machine on the Bitlocker Volume? Is that even possible when dealing with bitlocker or do you have to restore the whole drive just to get at a couple of files?



Thanks
 

My Computer

System One

  • OS
    W11 Pro
My BitLocker key is stored in 3 places.
1. My Microsoft Account.
2. My Password Manager in a Secure Note.
3. My OneDrive Personal Vault.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
Below is a part of my actual saved file with all my keys in scrambled form. Because it is encrypted, I am perfectly safe posting the actual file here. My program also generates a second file that is identical but adds the actual real key. So, this means that the one file I can safely keep tacked to my wall where anyone can see but the other needs to be keep in a safe place.

I use BitLocker a lot (as you can see), so I had to make sure that I had a plan to safely keep all my keys. For some reason, it's simply my preference to have local control of this kind of information.

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 11:54:40
Comment: PyroPlex (MiniPC-AD03) OS Drive
Drive Identifier: 1F74D90C-1169-4DF2-94C6-AB8ADF928B1B
Scrambled Key: 379189-594489-723984-273762-459005-324912-750448-237737
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 12:21:18
Comment: ThinkBook Laptop
Drive Identifier: A0AB96F6-A00D-47F2-B966-7C425D068A35
Scrambled Key: 776454-432624-252666-424969-214475-144381-530998-100919
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 23:45:50
Comment: PyroNas (MiniPC-S1) OS Drive
Drive Identifier: 85646D0B-CBA8-4E6B-B52E-D7745535BA99
Scrambled Key: 360246-488316-397482-033775-151664-243920-480409-299458
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-29-2024 at 13:01:14
Comment: MiniPC-CK10
Drive Identifier: CA558D3C-AF7F-4AAB-A047-4618D97F66B9
Scrambled Key: 456684-005307-651054-483049-274358-299690-755994-072924
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 02-29-2024 at 17:08:47
Comment: MiniPC-AD08
Drive Identifier: 2134E914-D6F5-4302-AA36-F90A49A39E69
Scrambled Key: 288934-237881-148970-019059-493853-082603-662593-063309
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-04-2024 at 12:59:44
Comment: ASUS OS Drive
Drive Identifier: 205ED3F1-4C8B-499F-986E-835235C3ABF5
Scrambled Key: 670039-205507-797761-699100-700916-509944-337422-314892
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-04-2024 at 13:01:21
Comment: Spectre13 Laptop
Drive Identifier: B1AD1F7E-B1F8-467D-A7B2-35EEAF814EAC
Scrambled Key: 272796-452897-197162-440984-377527-251839-528909-015109
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-05-2024 at 00:13:25
Comment: CHUWI Tablet
Drive Identifier: E9E1F16B-5895-42C8-86B9-356CE6B63A6D
Scrambled Key: 139147-333107-821421-036350-676266-211513-207886-428138
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 03-07-2024 at 11:51:40
Comment: ASUS-Micro Laptop
Drive Identifier: 8E64AABA-E978-4C7B-9FC3-063D3B261359
Scrambled Key: 566750-161308-461490-135216-548490-487053-788905-521990
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 05-09-2024 at 21:50:22
Comment: Godzilla OS Drive
Drive Identifier: D8E384A7-D970-4C4B-A1CB-05F7553F28E5
Scrambled Key: 431922-243875-828210-683798-604701-442645-230566-420393
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Key saved on 05-09-2024 at 23:54:41
Comment: MiniPC-AD15
Drive Identifier: 93CA0E59-358C-4DCD-A5AC-219DD7160FB1
Scrambled Key: 111460-463030-535048-280725-543825-205937-751559-335550
---------------------------------------------------------------------------

On my other file, the information is identical but there are two added lines like this (I'm chaging the real key and my crypto key for the encryption to all ones):

---------------------------------------------------------------------------
Key saved on 02-28-2024 at 11:54:40
Comment: PyroPlex (MiniPC-AD03) OS Drive
Drive Identifier: 1F74D90C-1169-4DF2-94C6-AB8ADF928B1B
Original Key: 11111-11111-11111-11111-11111-11111-11111-11111
Scrambled Key: 379189-594489-723984-273762-459005-324912-750448-237737
Crypto Key: 11111111
---------------------------------------------------------------------------

I have a separate program that interrogates each machine that is powered on over the network and retrieves the keys for me, but now I need to add that to my other program so that it can automatically save all keys for me.
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
@hsehestedt, do you use BitLocker on your portable backup drives? I like doing that and it's really cool that my BitLocker Samsung portable SSD drives utilize TPM to transparently unlock when attached to my BitLocker main computer. I have two 4TB Samsung T9 SSD drives for my Macrium Image backups protected with BitLocker.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
Hey @hsehestedt ,

I should mention that the recovery of media was built on a different (non-bitlocker) machine and Macrium is not installed on the laptop at this time since it is a corporate machine and I plan to do cold backups until I/T can grant me rights to install it. For now I just wanted to be able to have some sort of a backup since I'm working remotely it would be difficult to re-image the box and I can just restore my own local backups as long as I can get all of this work reliably, but as I said Bitlocker is new to me so I'm having to learn as I go.



I think what you are trying to say is that when you create media on a machine that has bitlocker and Macrium already installed that Macrium automatically injects the the recovery key onto the recovery media when those options are checked - Is that correct?

When I created the media on the second machine I did enable those two because I knew the target machine would be dealing with Bitlocker drives however not having used it before in this context I wasn't sure how bitlocker and Macrium work together and what the happy path for this process looks like.

I've searched youtube to see if I could find any videos that talk about backups that involve bitlocker with Macrium for a relevent example but came up empty.

Here are the settings I chose when making my backup media on the 2nd (non-bitlocker) machine:

View attachment 96689


As for exporting the key, I was able to save the text file and the PDF to the USB key with no issues so I had already figured out what you mentioned. For now I have a copy of the file on my cell phone so I have a recovery method that is not on the local machine. However if you've written something that does obfuscation then I wouldn't mind taking a look at it and maybe incorporating it into my workflow so thanks for the offer.

So the only thing I haven't figured out is how to export the key as a bkf per the Macrium kb article.
Since the save to USB doesn't work in a brand new vm I'm guessing that's either something that is deprecated but not updated in the kb article or there is something else you have to do in windows to enable that feature???


Also did you have any advice on trying to mount/read Individual files from the second machine on the Bitlocker Volume? Is that even possible when dealing with bitlocker or do you have to restore the whole drive just to get at a couple of files?



Thanks
Let me try my best to answer your questions. If I have misunderstood anything, please do let me know.

Note that when you use any files on a BitLocker encrypted volume it is automatically decrypted for you on the fly once you have unlocked the volume. It is all transparent to you. The exact same thing happens when you perform a backup using a program like Reflect. Windows decrypts the files or data blocks and then hands the unencrypted data to Reflect which then backs that data up. Because of this, when you restore a drive, it will initially be unencrypted after the restore and you would simply re-encrypt the volume after restoring it. This changes if you save the BitLocker key with Reflect. I don't know all the details regarding this - it would probably be helpful for me to review the Reflect documentation on this topic. I don't know all the details because I never save my BitLocker key to my Reflect media.

Whether your backed up drive used BitLocker or not, you can still always mount your Reflect backup and access individual files or the entire backup.

As far as saving the BitLocker key to your recovery disk when creating the recovery media, I would have to better educate myself on this by reading the related part of the Reflect documentation. I'm not sure how to add the keys for multiple systems to the same Recovery media. If I recall, I think that it simply saves the key as plain text in a file, which is why you need to protect that recovery media. As I noted, I never bother saving my key(s) to my Reflect media.

Let me know if there was anything I didn't address. I may need to do a little research, but I will happily do so when back in front of my primary desktop.

As far as the BKF file goes, I thought that a .BKF was the extension for a Windows backup file so I'm not sure how that relates to this discussion. Could you possibly point me to the Macrium Reflect article that references this?
 

My Computers

System One System Two

  • OS
    Win11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-11700K
    Motherboard
    ASUS Prime Z590-A
    Memory
    128GB Crucial Ballistix 3200MHz DRAM
    Graphics Card(s)
    No GPU - CPU graphics only (for now)
    Sound Card
    Realtek (on motherboard)
    Monitor(s) Displays
    HP Envy 32
    Screen Resolution
    2560 x 1440
    Hard Drives
    1 x 1TB NVMe Gen 4 x 4 SSD
    1 x 2TB NVMe Gen 3 x 4 SSD
    2 x 512GB 2.5" SSDs
    2 x 8TB HD
    PSU
    Corsair HX850i
    Case
    Corsair iCue 5000X RGB
    Cooling
    Noctua NH-D15 chromax.black cooler + 10 case fans
    Keyboard
    CODE backlit mechanical keyboard
    Mouse
    Logitech MX Master 3
    Internet Speed
    1Gb Up / 1 Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Additional options installed:
    WiFi 6E PCIe adapter
    ASUS ThunderboltEX 4 PCIe adapter
  • Operating System
    Win11 Pro 23H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 13x Gen 2
    CPU
    Intel i7-1255U
    Memory
    16 GB
    Graphics card(s)
    Intel Iris Xe Graphics
    Sound Card
    Realtek® ALC3306-CG codec
    Monitor(s) Displays
    13.3-inch IPS Display
    Screen Resolution
    WQXGA (2560 x 1600)
    Hard Drives
    2 TB 4 x 4 NVMe SSD
    PSU
    USB-C / Thunderbolt 4 Power / Charging
    Mouse
    Buttonless Glass Precision Touchpad
    Keyboard
    Backlit, spill resistant keyboard
    Internet Speed
    1Gb Up / 1Gb Down
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    WiFi 6e / Bluetooth 5.1 / Facial Recognition / Fingerprint Sensor / ToF (Time of Flight) Human Presence Sensor
Let me try my best to answer your questions. If I have misunderstood anything, please do let me know.

Note that when you use any files on a BitLocker encrypted volume it is automatically decrypted for you on the fly once you have unlocked the volume. It is all transparent to you. The exact same thing happens when you perform a backup using a program like Reflect. Windows decrypts the files or data blocks and then hands the unencrypted data to Reflect which then backs that data up. Because of this, when you restore a drive, it will initially be unencrypted after the restore and you would simply re-encrypt the volume after restoring it. This changes if you save the BitLocker key with Reflect. I don't know all the details regarding this - it would probably be helpful for me to review the Reflect documentation on this topic. I don't know all the details because I never save my BitLocker key to my Reflect media.

Whether your backed up drive used BitLocker or not, you can still always mount your Reflect backup and access individual files or the entire backup.

As far as saving the BitLocker key to your recovery disk when creating the recovery media, I would have to better educate myself on this by reading the related part of the Reflect documentation. I'm not sure how to add the keys for multiple systems to the same Recovery media. If I recall, I think that it simply saves the key as plain text in a file, which is why you need to protect that recovery media. As I noted, I never bother saving my key(s) to my Reflect media.

Let me know if there was anything I didn't address. I may need to do a little research, but I will happily do so when back in front of my primary desktop.

As far as the BKF file goes, I thought that a .BKF was the extension for a Windows backup file so I'm not sure how that relates to this discussion. Could you possibly point me to the Macrium Reflect article that references this?



So the link I was referring to is in my original post, it contains the screen shot of the missing option as well:



I get what you are saying as far as when a "normal" reflect user does a "HOT/Live" backup inside the OS, but in this case I am doing a COLD/Offline backup by booting to the recovery media then backing up over my network. Since this is a corporate/work machine, I am unable to install reflect so the rescue media is the only method i have open to me at the moment.

So what this means is that I am backing up an encrypted blob of data and not the unencrypted files/partitions. Because of that, any downstream processing that I do later with the backup file means that reflect needs to be able to decrypt the data whenever you want to recover just a few files as opposed to restoring the entire drive also having not done it yet I have to wonder how a brand new restored onto bare metal works when you restore an encrypted blob. Is windows smart enough to tell me that this is an encrypted drive that must have the recovery key entered? This is merely my ignorance with Bitlocker so until I try that step I won't know the answer.


Having never tried any of this and just going off of what I read in the KB article, it's my assumption that if you have the BKF file that Reflect will know how to decrypt the drive image either by doing a full restore or as I was trying to do by mounting the image as a temporary drive letter to retrieve a couple of files. This is all just an assumption on my part because I couldn't get that far and I have yet to learn how the process actually works.

Thanks
 

My Computer

System One

  • OS
    W11 Pro
Sounds like you are trying to do things a thief that steals your computer might try to do. Your IT department has apparently done its job. :-)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
Back
Top Bottom