I have a few questions about System Image in Windows 7 that I really hope someone can help with. I have a Windows 7 Ultimate x64 system with a 500GB hard disk with BitLocker on the C: drive (approx. 150GB used space). I want to create an image of the disk/drive using the built in System Image utility. 1. Can you use System Image on a BitLockered drive? 2. If so, do you have to switch BitLocker off first, does it switch BitLocker off automatically, and is the resulting image file encrypted or not? 3. Does the fact that the C: drive is encrypted prevent System Image compressing the data (can it still identify empty blocks/sectors and skip them)? 4. Should you (do you have to) include the BitLocker partition (the 100MB partition) as well? 5. How do you restore the image onto a new drive (I need to make sure that I can recreate the drive in case the hard disk fails or the system stolen)? Any help would be much appreciated!

What do you mean by built in System image utility?

Control Panel > Backup and Restore > Create a system image

Hi, The default Windows Backup settings “Let Windows choose (Recommend)” includes an image of Windows startup and system files on the backup. If the Windows system disk is using Bitlocker drive encryption protected, the backup process will fail. Therefore, if you would like to backup system image, please decrypt manually. Or you may choose the option (Let me choose), and choose which files you need to backup and uncheck the checkbox: “Include a system image of Drivers (C:)” in What do you want to back up window to perform a backup on the computer. I also just got the following about saving the backup image in a drive which is locked by BitLocker: Protect your files and PC with Windows 7 Backup http://blogs.technet.com/b/filecab/archive/2009/10/23/protect-your-files-and-pc-with-windows-7-backup.aspx “When a drive is locked by BitLocker, you need to unlock the drive before you can see information about the drive, back up the drive, or save a backup on the drive. Therefore if you’re using BitLocker with Windows Backup, the best option would be to set the drives that you are encrypting to unlock automatically when you log on to the computer. If you do not wish the drives to unlock automatically, you can also unlock a drive manually only when it’s needed for backup. “ I think if you want to restore from the image, you need to unlock the drive, restore and then lock the drive. In addition, please check if the following links help: Back Up Windows 7 by Creating a System Image http://social.technet.microsoft.com/wiki/contents/articles/back-up-windows-7-by-creating-a-system-image.aspx Restore your computer from a system image backup http://windows.microsoft.com/en-US/windows7/Restore-your-computer-from-a-system-image-backup More information: Learn more about system image backup http://blogs.technet.com/b/filecab/archive/2009/10/31/learn-more-about-system-image-backup.aspx Regards, Sabrina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Sabrina, Many thanks for a full and detailed response. Apologies for not replying sooner but other things have been keeping me busy. I would have marked your response as "Answer" but it seems Nicholas Li beat me to it! Your second para really highlights the problem: "Therefore, if you would like to backup system image, please decrypt manually."!!! So, it seems that Microsoft give you a choice: 1. Secure your data against theft and unauthorised access (BitLocker), OR; 2. Secure your data against drive failure/corruption (System Image). BUT YOU CAN'T DO BOTH! It really is not practical to decrypt the drive to do a drive image and then re-encrypt it again each time. I think Microsoft should take this issue seriously and provide an update to enable both security mechanisms to work together.

Gavin, I think Sabrina may have misled you when she said: "The default Windows Backup settings “Let Windows choose (Recommend)” includes an image of Windows startup and system files on the backup. If the Windows system disk is using Bitlocker drive encryption protected, the backup process will fail." I don't believe this is true. That is exactly what I do on my system, and it works just fine. It backs up a system image and does a separate data backup. The drive I am backing up to, the "Backup Drive", is also Bitlocker protected. The Backup Drive must be unlocked, of course, while the backup is running, but can be kept locked otherwise to protect against theft of the backup drive data. Likewise, your system should always be powered off or hibernated when unattended to protect against data theft. Use of standby modes [S1 - S3] are vulnerable and should be disabled by policy settings. The only sleep mode that can be safely used with Bitlocker is Hibernate if you want maximum protection. I have theft and unauthorized access protection and I have drive failure and corruption protection. Bitlocker is great! I suggest you just do a test and see if it works. There is so much misinformation about Bitlocker, it is a wonder anybody uses it outside of enterprise IT departments. The fact that Sabrina suggested manually decrypting indicates to me she doesn't fully understand Bitlocker. Bitlocker is transparent to virtually all applications when it is unlocked, including Windows Backup and Restore. That is the whole point of Bitlocker, all the encryption/decryption is done under the covers. Jim Gay Just a lurker who has just finished researching and testing Bitlocker for use in a friend's small business.

Hi Jim, I really appreciate your reply, thanks for that. I didn't bother trying to do a system image after Sabrina's reply because I don't have a spare drive with much space on it at the moment, but you have provided some hope and I will give it a try - it maybe a little while before I get the chance but I will report back! I agree that BitLocker is great (other than the lack of info on this issue!). I reckon it is a more important tool for small businesses (where all the company's data is on just one or two PCs) than for large organisations (where most of the data is on a mainframe/server that is not easily lost or stolen!). Just curious, have you tried restoring a system disk from your system image? Do you think the restored disk would be bitlockered or do you think it would be unencrypted and need bitlockering again? Regards, Gavin

Hi Gavin, I haven't conducted a restore test, but I will be doing so sometime in the next week. Rather than speculate, I will let you know the result. I intend to do two tests. 1) Restoring to a clean drive, and 2) Restoring to the drive from which the System Image was created (which has Bitlocker installed). I fully expect this to work since I have seen elsewhere where people have done this using Acronis TrueImage. BTW, Acronis is clear they do not support Bitlocker, but it works if done correctly apparently. The comments in this thread notwithstanding, Microsoft claims to support Bitlocker. We'll see how it works in my case. Stay tuned. Regards, Jim

Hi Gavin, I did the restore test I promised using my latest system image and several days of data backups from Windows Backup and Restore. I restored to a different, but identical drive since I didn't want to risk wrecking my production system. It worked as expected, and when the restore finished, Windows displayed a warning saying the drive was unencrypted, and I would have to turn Bitlocker back on if I wanted it re-encrypted. I am not going to run the second test I listed because the restore removes the partitions as a first step, so what is on the drive before you do a restore doesn't matter. I hope this answers your question about Bitlocker. So, I believe the answers to your original questions are: 1. Can you use System Image on a BitLockered drive? Yes 2. If so, do you have to switch BitLocker off first, does it switch BitLocker off automatically, and is the resulting image file encrypted or not? No, no and the resulting image is unencrypted (but the image is in a Microsoft proprietary format and it would best be stored on a Bitlocker To Go External drive. 3. Does the fact that the C: drive is encrypted prevent System Image compressing the data (can it still identify empty blocks/sectors and skip them)? Backup and Restore does not know the drive is encrypted because Bitlocker delivers unencrypted data to the backup program. Therefore, I believe the system image of a Bitlocker protected drive and an unencrypted drive are essentially the same save for a few system files related to Bitlocker. 4. Should you (do you have to) include the BitLocker partition (the 100MB partition) as well? Yes, the Bitlocker and OS partitions must always be treated as a inseparable pair. If you don't the restore will fail because their are files in the "Bitlocker" partition required by Bitlocker. 5. How do you restore the image onto a new drive (I need to make sure that I can recreate the drive in case the hard disk fails or the system stolen)? When you set up Backup and Restore, it prompts you to create a Recovery CD, which is used to perform the restore. You can also use the Windows 7 product disk. You can restore the image to any disk you want as long as it is the same size or larger than the partitions from which the system image was made. This is because the restore program has no functionality to resize the partitions. And as a bonus here are a couple of answers to questions you didn't ask. 6. Do Online Backup Services work with Bitlocker? All the ones I have contacted (the major ones) say no. However, I use Mozy, and it works OK despite what Mozy says. It has some problems, but they always seem to fix themselves in the next backup. I suspect these issues have nothing to do with Bitlocker, but it could be the case that Bitlocker prevents Mozy from doing blocking backups so file changes may trigger a download of the entire file which would effect backup efficiency. However, and this is important, I have all my programs and data on the C: drive. If you backup separate data drives and the drives are locked by Bitlocker, Mozy thinks you deleted the files and it deletes them from its backup. When the drive is unlocked, Mozy starts all over again backing them up. That's why I have everything on one drive. It makes for larger backups, but fortunately, these days we have very big and cheap hard drives. 7. Does LoJack work with Bitlocker? Yes, but since the thief will be forced to format the hard drive, it is important that your system have a TPM chip with the Computrace code installed by the system manufacturer in order for LoJack to survive the reformat. LoJack may still work if the thief leaves the machine on and connected to the Internet before he/she reformats the drive. My experience so far is that Bitlocker is a nightmare to support, but if you want your system totally protected when it is turned off, Bitlocker is the best solution for Windows machines. For external hard drives, I am looking for a different solution because Bitlocker To Go does not fit my needs. It's compatibility with XP and Vista is too limited. Good luck. Hope this helps. Jim

Jim- Thanks for posting your experience using BitLocker, so far it is one of the best posts about BitLocker that I've seen because it's more than just conjecture about how it should work, it's actual practical application. I did have one question that I'm hoping that you might be able to answer. You mentioned in your answer to question 2, that in order to safe guard the resulting image you would have to use Bitlocker To Go on the external drive. Did you try that? And if so, how did it change the restore process? Do you have to decrypt the drive first before trying the restore? Or will Windows 7 take that into account during the image restore process from the recovery CD and prompt you to insert a USB key or type the recovery key before restoring the image? Any insight you might have here would be much appreciated! -Aaron

I actually answered my own question by bitlockering an external drive, creating a system image, and then restoring the image on a different computer. You can see a detailed explanation of my experience in the thread here: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/6cbc202b-094b-48ff-b4d6-486f3821c604