none
Changed Bitlocker password on SD drive, recovery key unchanged, still auto unlocks on other device RRS feed

  • Question

  • I bitlockered an SD card to use for backup from my Surface Go (Win 10 Home: I applied lock on my Win 10 Pro PC). I set it to auto unlock on the Go. All fine. I then wanted to change the password, so returned it to my WIn 10 Pro PC and did so. Reinserted it in the Go and it auto unlocked. Despite changing the password.

    What's more - the recovery key was not changed.

    Surely that should not happen?

    Wednesday, March 18, 2020 4:57 PM

All replies

  • Hi,

     

    You have configured BitLocker to automatically unlock volumes that do not host an operating system.

    After a user unlocks the operating system volume, BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.

     

    Auto-unlock option that allows the drive to unlock automatically when inserted into designated computers, eliminating the need for a password. This means you are free to choose a highly secure password without being burdened by its complexity.

     

    You can turn on or off auto-unlock option.

    Please refer to the following link for details:

    https://www.tenforums.com/tutorials/37662-turn-off-auto-unlock-bitlocker-drive-windows-10-a.html

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    "Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
    We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
    For more information, please refer to the sticky post.

    Thursday, March 19, 2020 2:23 AM
  • That is expected behavior.

    Auto-unlock saves an encryption key to the hard drive of the pc that has autounlock activated. That key is independent of the password and thus, does not care for password changes.

    Thursday, March 19, 2020 8:28 AM
  • The Surface Go which is auto unlocking the drive is running Win 10 Home which does not have Bitlocker controls of any kind.
    Thursday, March 19, 2020 10:33 AM
  • I had deduced that the mechanism was of that kind.

    Is it really expected that once auto unlock is set on a Win 10 Home machine it cannot ever be stopped or invalidated? See reply above, on Win 10 Home there are no Bitlocker controls.

    If the key is on the hard drive somewhere it must be possible to delete it. Can you tell me where it is?

    Thursday, March 19, 2020 10:40 AM
  • You need to understand how this works, then you may control it:

    On the stick, you can delete the encryption keys (= "protectors") one by one. In this case, it's a so-called "ExternalKey". The syntax is as follows (it needs to be executed on an elevated command line - this syntax assumes that your stick has the drive letter x:):

    manage-bde -protectors -delete X: -Type ExternalKey

    Now it won't auto-unlock anywhere.

    Thursday, March 19, 2020 10:44 AM
  • The real gain to my understanding is that there is a command line tool manage-bde and even Win10 Pro only exposes a small fraction of its capabilites in the UI. Of course this is common across much of Windows.

    Now done. Thanks for the pointer.

    While the cognoscenti may expect this behaviour, the rest of the world would not expect that changing the password does not prevent access to the disk by someone who only had the old password. That is not normal behaviour.

    • Edited by Int Rins Thursday, March 19, 2020 11:41 AM
    Thursday, March 19, 2020 11:35 AM
  • Just deleting the ExternalKey is not sufficient. You also need to replace the RecoveryPassword by deleting and re-adding it with manage-bde. Otherwise the one set along with the original password is still valid.
    Thursday, March 19, 2020 12:02 PM
  • It seems you didn't make yourself clear in the first place.

    After changing the password, you expect all protectors to be de-validated. Of course that is not the case.

    If you deal with bitlocker passwords a lot, please be informed that for OS drives, the password allows full control, while the PIN does only allow the users to boot the drive. (for external drives, there is never a PIN since that is not technically possible).

    Thursday, March 19, 2020 12:17 PM