HBS 5.8.1.0 Beta 260409 - BitLocker tests and bugs I found

[al3x]

Hey there,

I tested around a bit with the new BitLocker features in the current beta version.

What I can say so far: This feature is insane! I really like that HBS is now able to retain the BitLocker state and that you can even select if you want BitLocker retained or removed. You can even restore without BitLocker first and then again restore the same backup and this time reenable BitLocker. That's crazy good and I can't even imagine the things that had to be moved to make this feature possible. Huge props for that!

Besides that, I tested around a bit further and I've found 3 things that might be worth looking into:

---
1) Backup is stored on another partition that also has BitLocker enabled

Restore will still work, I didn't think it would go through but it did, nice! But it won't automatically open the backup partition. Instead after booting to WinPE it will ask for the BitLocker password or recovery key. If you provide the key, it will continue and restore without problems.

I think it might be a good idea to also remember a possible recovery key for the backup partition (just like with the system partition). That way the user wouldn't have to do anything at all.

---
2) Error during backup of a freshly installed Windows 11 where device encryption is not completed yet

If you setup a new device with Windows 11 and it is encrypted by default, the encryption will be "Device encryption" where the BitLocker password will be uploaded to your Microsoft account and all devices connected to your PC will be "prepared" for encryption. This is the new default for all modern devices and the user normally won't even recognize their device was encrypted.

This is exactly the scenario I tested. The device was installed with a fresh copy of Windows 11 but with a local Windows account. This will prepare your device in a way that partitions are BitLocker encrypted (during setup) but no recovery key was set so far:





When you try to backup Windows with HBS in this state, the backup will fail. First it tells you that the drive has BitLocker activated (which is true, just not protected so far):



Then when performing the backup it fails with this error:



Specified object not found. (0x030E001300000000)
The operation was not successful.

I attached the log to this thread.

---
3) Device encryption changes to "normal" BitLocker encryption after a restore

This one is a little hard to explain and I'm not that familiar with the differences of device encryption and "normal" BitLocker encryption unfortunately.

When a fresh Windows 11 device is encrypted with BitLocker device encryption, it will show "Device encryption" and an "ON" slider in Windows settings under "Privacy & security" / "Device encryption" (see first screenshot on 2).

But after successfully restoring a backup with HBS this menu will look different:



The slider is now gone and it will only show "Your encryption settings are managed by BitLocker". Technically this is probably the same, but it looks like the "advanced" version of device encryption now where you can't easily decrypt everything by turning the slider to "OFF". Instead encryption is now managed by the "normal" BitLocker settings.

I don't know what the differences are exactly, device encryption looks like the "beginner" version for me. But I was wondering why this changes after a restore.

*Edit: Also, when thinking about it, I was testing with a Windows 11 Pro version where BitLocker is available in general. Home on the other hand does not have BitLocker available to the user. Device encryption can be active on both editions, though. That means if a restore changes the settings to "normal" BitLocker, users of the Home edition might be locked out of the settings or worse. So maybe this effect should also be checked with the Home edition and what might change for users.

---

That's all I have for now. All in all this beta version is really impressive.

Points 1 and 3 are not really critical for me. Point 2 might be worth looking into because there might be lots of people that have device encryption turned on without being activated fully.

Cheers!
al3x

[admin]

1) Backup is stored on another partition that also has BitLocker enabled

Thank you for your suggestions. We will work on improving it. My only concern is: where should the BitLocker recovery information be saved? Storing it insecurely would introduce significant risks.

2) Error during backup of a freshly installed Windows 11 where device encryption is not completed yet

This is an issue we didn't notice, and we will fix it as soon as possible.

3) Device encryption changes to "normal" BitLocker encryption after a restore

Device Encryption actually uses the same BitLocker encryption algorithm. However, why is it recognized as a noraml BitLocker partition after restoration? We need to analyze this issue further.

[al3x]

1) Backup is stored on another partition that also has BitLocker enabled

Thank you for your suggestions. We will work on improving it. My only concern is: where should the BitLocker recovery information be saved? Storing it insecurely would introduce significant risks.

Don't you already save the BitLocker recovery information for the system drive in the backup anyway? How do you manage to keep BitLocker for the system drive and support delta restore now (even when booting directly from WinPE)? You'd need the recovery key for this to work, wouldn't you? Or is it read somewhere from the saved partition in the backup directly?

Thanks!
al3x

[admin]

Thank you for your suggestions. We will work on improving it. My only concern is: where should the BitLocker recovery information be saved? Storing it insecurely would introduce significant risks.

Don't you already save the BitLocker recovery information for the system drive in the backup anyway? How do you manage to keep BitLocker for the system drive and support delta restore now (even when booting directly from WinPE)? You'd need the recovery key for this to work, wouldn't you? Or is it read somewhere from the saved partition in the backup directly?

Thanks!
al3x

Hi al3x,

It is not advisable to save the access key of the target drive in the backup image for the following reasons:
1. The backup image itself may not be encrypted, especially when backing up a non‑BitLocker drive, and the program will not prompt the user to encrypt the image.
2.The backup image may be copied to another partition or even another computer, in which case the access key saved within the image becomes useless.

It is particularly important to note that if the image is not encrypted, the access key can easily be leaked. Therefore, my idea is to only pass the access key to WinPE when automatically booting from Windows into WinPE to perform a restore operation. In this way, the key always remains on the current computer and can be cleared immediately after entering WinPE.

Best regards,

[al3x]

Hi al3x,

It is not advisable to save the access key of the target drive in the backup image for the following reasons:
1. The backup image itself may not be encrypted, especially when backing up a non‑BitLocker drive, and the program will not prompt the user to encrypt the image.
2.The backup image may be copied to another partition or even another computer, in which case the access key saved within the image becomes useless.

It is particularly important to note that if the image is not encrypted, the access key can easily be leaked. Therefore, my idea is to only pass the access key to WinPE when automatically booting from Windows into WinPE to perform a restore operation. In this way, the key always remains on the current computer and can be cleared immediately after entering WinPE.

Best regards,

Hey,

ok, I see your points and you're right, the warning message is currently only shown when saving a BitLocker encrypted partition (not when saving ON a BitLocker encrypted partition).

But I'm still curious: How do you currently handle the unlocking of the system drive? I can boot from WinPE directly, select the image and the restore process is able to unlock the partition to perform delta restore.

Btw: Instead of passing the recovery key for the backup partition to WinPE, you could also temporarily pause the encryption with manage-bde -protectors <drive> -disable. This should temporarily unlock the volume. Not sure about resuming encryption though. Microsoft documentation says it should resume automatically after a reboot, but that is only for system drives. You might need to resume manually with -enable then.

[admin]

Hey al3x,

Thanks for following up.

You're right, the backup image does store the unlock credentials for the drive being backed up. Of course, we encrypt them inside the image. This is exactly why the software prompts the user to encrypt the backup image itself. If the image is left unencrypted, those stored credentials (even though they are encrypted) could still be at risk of leakage.

Regarding your suggestion about temporarily disabling protectors with manage-bde -protectors <drive> -disable, to be honest, it is a workable workaround. However, the behavior of re‑enabling encryption protection is not always reliable or safe, and as backup software, we shouldn't arbitrarily change the state of other drives on the user's system. Therefore, we prefer to avoid leaving a drive in an unprotected state for an extended period. In comparison, only passing the key during an automated boot into WinPE and clearing it immediately after entering WinPE is a better approach.

Thanks for the discussion!

Best regards,

[admin]

Dear al3x,

The issues you mentioned have been fixed in V5.8.1.1 Beta. Here is the download link for V5.8.1.1 Beta:
https://www.easyuefi.com/backup-software...8_Beta.exe

It took much longer than expected, mainly due to the lack of available documentation on BitLocker.

Best regards,

[al3x]

Hi!

It took much longer than expected, mainly due to the lack of available documentation on BitLocker.

Yeah, I didn't expect anything less from Microsoft unfortunately. I still don't understand exactly how or where they store this information.
But it's awesome that you could figure it out!

8. Fixed backup failure when BitLocker Device Encryption is not fully completed

Works perfectly! Tested it multiple times, couldn't find anything!

9. Fixed Device Encryption reverting to standard BitLocker after restore

Also works perfectly!
I tested with device encryption and standard encryption, both are restored and show up in settings just like before.

10. Automatically unlock the BitLocker drive containing the backup image when automatically booting from Windows into WinPE to perform a restore

Nice! Also tested and it's unlocking both partitions before running the restore process.
No problems, very smooth!

This release is awesome, couldn't find any problems. Really a huge step forward!
Now, where all new devices basically come pre-encrypted, this could make the difference for people to think about switching to HBS or even buying Home/Pro.

Best regards,
Alex

[admin]

It took much longer than expected, mainly due to the lack of available documentation on BitLocker.

Yeah, I didn't expect anything less from Microsoft unfortunately. I still don't understand exactly how or where they store this information.
But it's awesome that you could figure it out!

There's no particular secret to it. It just took a lot of attempts and data analysis.

And I'm glad to hear that all the issues have been resolved.

Have a nice day!