Convert Windows boot from BIOS to UEFI without decrypting Bitlocker

I wanted to convert an MBR/BIOS boot drive to GPT/UEFI, but without needing to decrypt and then re-encrypt Bitlocker. Mainly because I am lazy. This worked, but I’ll warn that the advice to decrypt completely first is without any doubt the safest way to go.

Follow the instructions for converting from BIOS to UEFI boot.

With the following changes:

  • Print out your Bitlocker Recovery Key from Control Panel, Bitlocker. You will need this key.
  • Take a backup. No seriously. Use Veeam Endpoint if you don’t have anything else installed to take backups. Stuff goes wrong with computers, and you don’t want to lose your system installation and data.
  • Suspend Bitlocker protection on your system drive.
  • Reboot from your Windows installation / recovery DVD/USB, verify that you can get to your c:\windows directory. This might be d:\windows if you have a recovery partition at the end of the disk.
  • Now boot into Windows and convert to GPT using gptgen
  • When you then boot into the Windows installation / recovery media, you’ll be asked for the Bitlocker Recovery Key. After that, the rest of the steps are as in the generic instructions.
  • When booting into Windows (assuming you changed your BIOS to boot (U)EFI instead of MBR now), you’ll be asked for the recovery key again.
  • In my case, the drive didn’t show suspended. I suspended it again.
  • After that, resuming Bitlocker encryption will fail with “The System cannot find the file specified”.
  • Open Explorer, navigate to C:\Windows\System32\Recovery and rename the file “ReAgent.xml” to “ReAgent.xml.old”
  • Resume Bitlocker encryption on drive C:\ This should now succeed.
  • Reboot for good measure to verify that everything works and you don’t get prompted for the recovery key any more.

Restoring a bitlocker system volume with Acronis 2014

I had reason to restore my Windows 8 system volume, which is encrypted using Bitlocker. Getting access to my data drive back after that wasn’t quite as straightforward as I had hoped. For reference, and in case others get into this situation, here is what I encountered.

My setup

One system drive, SSD, encrypted using Bitlocker, running Windows 8.1.

One data drive, HDD, encrypted using Bitlocker, set to auto-unlock.

One backup drive, HDD, unencrypted. TrueImage 2014 is set to encrypt the backups themselves. This is crucial: Without an unencrypted backup drive, I couldn’t “get at” my backups when restoring the system drive.

I do not have a TPM module and use a USB stick instead for Bitlocker keys. I do not have Secure Boot enabled, mainly because I upgraded this system from Windows 7, don’t have a Secure Boot compatible GPU, and really don’t feel like re-installing Windows 8 to get the additional boot sector protection of Secure Boot. It’s a neat feature, but convenience wins out.

I keep a copy of my startup key and my recovery keys on a separate USB stick in the safe, and this proved to have been a necessary precaution.

Restore system drive

Restoring the system drive itself was reasonably straightforward. It cannot be done from Acronis within Windows, I had to use a Rescue CD instead. On machines without an optical disk drive, use a Rescue USB stick.

As expected, the system drive was unencrypted after the restore. This is a result of the way Acronis takes sector backups: It is “fed” the unencrypted data by Bitlocker, and so that is what get’s backed up and restored.

Get access to data drive back

I encountered two errors.

First, upon attempting to unlock my data drive, I received an error “Application not found”. The context menu entry to unlock the drive read “unlock-bde”, which points to an issue. This can be resolved by editing the registry, see Microsoft’s KB entry. The automatic fixit didn’t work for me, since my temp directory is on the data drive. Rather than change the location of temp, I just made the necessary two changes in regedit. To unlock the drive, I had to get my recovery key USB stick from the safe. You do have one of those, I’d hope. If not, you might be screwed.

Secondly, upon attempting to set the data drive to auto-unlock, I received an error “data error cyclic redundancy check”. No need to panic, the data is fine: This is a problem with the stored Bitlocker keys. Mark Berry documented the fix back in 2010. I used his updated (2/17/2011) methodology, which is henceforth no longer untested. In a nutshell, enable Bitlocker on the system drive, reboot. While the system drive is encrypting, use manage-bde to get rid of old auto-unlock keys and delete external keys from data volumes, then re-enable auto-unlock. This worked like a charm. Note he uses S: as a sample drive letter of the data volume; replace with whatever drive letter your data volume has.

Lastly, do not forget to copy your startup key and backup your new recovery key for the system volume onto your “oh crap” USB stick, and put it back in the safe where it belongs.