Windows 10

How to Configure BitLocker Auto Unlock

BitLocker is a full-disk encryption tool that is built-in to Windows 10. Full disk encryption prevents someone who gets physical access to a disk from reading the data stored on it. BitLocker is often used to encrypt the system drive but it can also be used to encrypt data volumes. And portable storage media, like USB sticks, using BitLocker To Go.

By default, if you encrypt a data drive using BitLocker, it will remain locked until you manually unlock it. For example, when you boot your device, you enter a password to unlock the BitLocker-encrypted system drive so that Windows can load. If you want to access data volumes that are encrypted with BitLocker, you can unlock them when required using a protector, which in this example is a password.

BitLocker Auto Unlock

BitLocker keeps data drives locked by default to protect the data stored on them while it’s not needed by the user. But in some scenarios, you might want BitLocker to unlock data drives at the same time as the system drive is unlocked. BitLocker Auto Unlock unlocks data volumes using encrypted information stored in the registry and volume metadata. Auto Unlock can be enabled by users in the Windows GUI and using PowerShell. But users require admin privileges to change BitLocker settings.

Enable or Disable BitLocker Auto Unlock in the Windows Control Panel

At the time of writing, BitLocker is still managed using the legacy control panel. The easiest way to get to the BitLocker settings in the control panel is to open the Windows 10 Settings app by pressing CTRL+I. Then in the search box, type bitlocker. Click Manage BitLocker in the search results and you will be redirected to the BitLocker control panel.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

As you can see in the image below, users can enable or disable Auto Unlock for fixed data drives that are encrypted by BitLocker. You just click Turn on auto-unlock and Turn off auto-unlock respectively. Auto Unlock also works on removable data drives.

Image # Expand
How to Configure BitLocker Auto Unlock (Image Credit: Russell Smith)

 

You can choose to enable Auto Unlock when setting up BitLocker drive encryption on a data volume by checking Automatically unlock this drive on this computer in the BitLocker configuration wizard.

Image # Expand
How to Configure BitLocker Auto Unlock (Image Credit: Russell Smith)

Configure BitLocker Auto Unlock using PowerShell

To enable Auto Unlock on a data volume, use the Enable-BitLockerAutoUnlock cmdlet as shown below, changing the value of the MountPoint parameter to the volume you want to auto unlock.

Enable-BitLockerAutoUnlock -MountPoint d:

And Disable-BitLockerAutoUnlock removes encrypted information in the registry that’s required to unlock a volume, and then disables Auto Unlock on the specified volume. The command below disables Auto Unlock on a volume labelled D:
Disable-BitLockerAutoUnlock -MountPoint d:

Reporting

Administrators can use a couple of other commands to check the Auto Unlock configuration of a volume. Manage-BDE and Get-BitLockerVolume can be used to display information about a volume, including its Auto Unlock status.

Manage-BDE -Status d:

Or use Get-BitLockerVolume instead:
Get-BitLockerVolume -MountPoint d:

Image #1 Expand
How to Configure BitLocker Auto Unlock (Image Credit: Russell Smith)

How to Use an Active Directory key protector to auto-unlock encrypted BitLocker volumes

Volumes can be protected and automatically unlocked using an Active Directory (AD) key protector. This allows AD users to access and auto unlock fixed or removable drives regardless of which device they log in to.

To add a BitLocker protector to a device, run Add-BitLockerKeyProtector with elevated privileges as shown below. Replace contoso\user1 with the AD username or group you want to add in the DOMAIN\user format.

Add-BitLockerKeyProtector -MountPoint d: -ADAccountOrGroup contoso\user1 -ADAccountOrGroupProtector

Then all you need to do is make sure the volume is configured for Auto Unlock:
Enable-BitLockerAutoUnlock -MountPoint d:

These commands will ensure BitLocker protected volumes labelled d: are automatically unlocked whenever CONTOSO\user1 logs in. In a production environment, it will be more practical to specify an AD group rather than individual user accounts.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: