How to Configure BitLocker Auto Unlock
BitLocker is a full-disk encryption tool that is built-in to Windows 10. Full disk encryption prevents someone who gets physical access to a disk from reading the data stored on it. BitLocker is often used to encrypt the system drive but it can also be used to encrypt data volumes. And portable storage media, like USB sticks, using BitLocker To Go.
By default, if you encrypt a data drive using BitLocker, it will remain locked until you manually unlock it. For example, when you boot your device, you enter a password to unlock the BitLocker-encrypted system drive so that Windows can load. If you want to access data volumes that are encrypted with BitLocker, you can unlock them when required using a protector, which in this example is a password.
BitLocker Auto Unlock
BitLocker keeps data drives locked by default to protect the data stored on them while it’s not needed by the user. But in some scenarios, you might want BitLocker to unlock data drives at the same time as the system drive is unlocked. BitLocker Auto Unlock unlocks data volumes using encrypted information stored in the registry and volume metadata. Auto Unlock can be enabled by users in the Windows GUI and using PowerShell. But users require admin privileges to change BitLocker settings.
Enable or Disable BitLocker Auto Unlock in the Windows Control Panel
At the time of writing, BitLocker is still managed using the legacy control panel. The easiest way to get to the BitLocker settings in the control panel is to open the Windows 10 Settings app by pressing CTRL+I. Then in the search box, type bitlocker. Click Manage BitLocker in the search results and you will be redirected to the BitLocker control panel.
As you can see in the image below, users can enable or disable Auto Unlock for fixed data drives that are encrypted by BitLocker. You just click Turn on auto-unlock and Turn off auto-unlock respectively. Auto Unlock also works on removable data drives.
You can choose to enable Auto Unlock when setting up BitLocker drive encryption on a data volume by checking Automatically unlock this drive on this computer in the BitLocker configuration wizard.
Configure BitLocker Auto Unlock using PowerShell
To enable Auto Unlock on a data volume, use the Enable-BitLockerAutoUnlock cmdlet as shown below, changing the value of the MountPoint parameter to the volume you want to auto unlock.
Enable-BitLockerAutoUnlock -MountPoint d:
And Disable-BitLockerAutoUnlock removes encrypted information in the registry that’s required to unlock a volume, and then disables Auto Unlock on the specified volume. The command below disables Auto Unlock on a volume labelled D:
Disable-BitLockerAutoUnlock -MountPoint d:
Administrators can use a couple of other commands to check the Auto Unlock configuration of a volume. Manage-BDE and Get-BitLockerVolume can be used to display information about a volume, including its Auto Unlock status.
Manage-BDE -Status d:
Or use Get-BitLockerVolume instead:
Get-BitLockerVolume -MountPoint d:
How to Use an Active Directory key protector to auto-unlock encrypted BitLocker volumes
Volumes can be protected and automatically unlocked using an Active Directory (AD) key protector. This allows AD users to access and auto unlock fixed or removable drives regardless of which device they log in to.
To add a BitLocker protector to a device, run Add-BitLockerKeyProtector with elevated privileges as shown below. Replace contoso\user1 with the AD username or group you want to add in the DOMAIN\user format.
Add-BitLockerKeyProtector -MountPoint d: -ADAccountOrGroup contoso\user1 -ADAccountOrGroupProtector
Then all you need to do is make sure the volume is configured for Auto Unlock:
Enable-BitLockerAutoUnlock -MountPoint d:
These commands will ensure BitLocker protected volumes labelled d: are automatically unlocked whenever CONTOSO\user1 logs in. In a production environment, it will be more practical to specify an AD group rather than individual user accounts.
More in Windows 10
Microsoft Releases PowerShell Scripts to Fix WinRE BitLocker Flaw on Windows 11 and 10
Mar 17, 2023 | Rabia Noureen
March Patch Tuesday Updates Bring New Windows 11 Features and Fixes for 74 Vulnerabilities
Mar 14, 2023 | Laurent Giret
Microsoft Removes Edition Checks for AppLocker Deployment on Windows 10 and 11
Mar 13, 2023 | Rabia Noureen
How to Enable Hyper-V in Windows 10
Mar 13, 2023 | Michael Reinders
Windows Update for Business Reports Now Help IT Admins Monitor Bandwidth Usage
Mar 9, 2023 | Rabia Noureen
Microsoft Defender App Starts Force Installing on Windows 10 and 11 PCs
Feb 28, 2023 | Rabia Noureen
Most popular on petri