Windows 10: Feature update 2004 seems to decrypt your Bitlocked OS volume and may brick your install

I run latest and greatest Win10 on an external SSD connected to a USB3 adapter, everything installed and encrypted with Bitlocker without any hacks. Installing 2004 update halted at a point where it looked like recovery environment and prompted if I wanted to boot into the OS. Then I got the "couldn't start properly" and prompt to recover startup. The startup tools could not detect the volume and would not prompt me to enter my decryption key.

Plugging the drive into an unencrypted PC that already had 2004, prompted me to continue decryption of a bitlocker volume was not complete, which it then did so without entering a key. I could read the files from the volume, but nothing would make it bootable.

I'm now typing this on a fresh install on the same hardware, encrypted after 2004 was installed. I had to put the SATA SSD in a temporary laptop to get past the first step, because the new creation tool setup version no longer allows installing to a drive that detects USB.

submitted by /u/AaronCompNetSys
[link] [comments]

:)

 

bitlocker decryption

After the last win10 update OS version : 10.0.15063.414 ,my SD card encrypted by bitlocker without my knowledge.

So, How i can decrypt bitlocker??

***Post moved by the moderator to the appropriate forum category.***

 

Decrypting bitlocker encrypted OS volume with .pfx certificate

I have a windows 10 operating system partition that is encrypted with bitlocker.
Unfortunately I don't remember ever having activated bitlocker encryption nor can find and
.bek file or numeric pin or password.

My first uncertainty is in why my device is encrypted in the first place and who encrypted it. There are two possibilities: I have encrypted it myself and forgotten about it. The manufacturer that shipped the laptop has encrypted the device
when installing the operating system (which I don't think is the case). I contacted the manufacturer and they do not have knowledge of any key.

My second uncertainty is in why the bitlocker lockout was triggered at this time when it worked fine for the last year or so. It says
Boot policy has unexpectedly changed. From what I have red so far, there are a lot of reasons why this can happen. Probably it happened because I did not properly remove a external USB harddrive or I changed some BIOS settings without knowing what
I was doing. The only important question is if it is it in principle possible to roll back the boot policy to its initial state and thus circumvent the necessity to enter the bitlocker code?

My third uncertainty is concerning the unlock key. I found a
.pfx certificate file that I might have exported during the encryption procedure, I just don't remember. I found a post

https://www.einfaches-netzwerk.at/teil-20b-bitlocker-dra/ where a drive is indeed decrypted with the
sha1 certificate thumbprint like this:

manage-bde -unlock i: -cert -ct "46 4f 75 9b f9 67 7a d2 44 d0 7b 64 61 63 16 80 df dc 0b a2"

which I can easily retrieve from the .pfx file.

My question is now, assuming this .pfx certificate indeed contains the key to do the decryption, how can I export this certificate to the certificate store so that the above command will work?

How can I install the .pfx certificate from the elevated command prompt (I cannot do it from within the GUI because it is my OS volume that is locked so I only can access it with the recovery console)?

I tired:

certutil -f -p somePassword -importpfx "somePfx.pfx"

as outlined here
https://stackoverflow.com/questions/5171117/import-pfx-file-into-particular-certificate-store-from-command-line?noredirect=1, but
certutil command is not found.

Here is the output of the manage-bde -status command

Can someone give a hint on how to decrypt a bitlocker encrypted OS partition with a
.pfx file and clarify if the steps outlined are in principle correct and should work if the certificate is the right one?

I would appreciate any your comments.

 

BitLocker Decryption Paused..

Hi Hans,

Thanks for your immediate response.

I have followed the steps for my device (D in Windows PowerShell as mentioned by you but I got the following result mentioning "the device is not ready". Please help with any alternate solution.

Thanks

C:\WINDOWS\system32> manage-bde -status

BitLocker Drive Encryption: Configuration Tool version 10.0.16299

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with

BitLocker Drive Encryption:

Volume C: [Windows]

[OS Volume]

Size: 464.15 GB

BitLocker Version: 2.0

Conversion Status: Used Space Only Encrypted

Percentage Encrypted: 100.0%

Encryption Method: XTS-AES 128

Protection Status: Protection On

Lock Status: Unlocked

Identification Field: Unknown

Key Protectors:

Numerical Password

TPM

Volume D: [comicider]

[Data Volume]

Size: 931.51 GB

BitLocker Version: 2.0

Conversion Status: Decryption Paused

Percentage Encrypted: 0.1%

Encryption Method: AES 128 with Diffuser

Protection Status: Protection Off

Lock Status: Unlocked

Identification Field: Unknown

Automatic Unlock: Disabled

Key Protectors:

Numerical Password

Password

PS C:\WINDOWS\system32> Disable-BitLocker -MountPoint "D:"

Disable-BitLocker : The device is not ready. (Exception from HRESULT: 0x80070015)

At line:1 char:1

+ Disable-BitLocker -MountPoint "D:"

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: ) [Write-Error], FileNotFoundException

+ FullyQualifiedErrorId : System.IO.FileNotFoundException,Disable-BitLocker

PS C:\WINDOWS\system32> manage-bde -off D:

BitLocker Drive Encryption: Configuration Tool version 10.0.16299

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: An error occurred (code 0x80070015):

The device is not ready.