none
Bitlocker Auto Unlock: activated but not working RRS feed

  • Question

  • I have 2 storage hdd encrypted w/ bitlocker, in addition to the encrypted OS volume C:.

    I activated auto unlock expecting the storage volumes to automatically unlock with the unlocking of C: (I enter the psw during boot since I don't have TPM). However they stay locked until I open them and manually enter their psw.

    Looked everywhere on the internet for solutions but the problem is still here, so I'm posting asking for help.

    Things to know:
    - storage volumes are seen as removable, instead of fixed (I guess because ahci is set, so should be normal)
    - the two storage volumes have been encrypted before encrypting C:, and have different psw from C: (shouldn't matter either, but you never know)
    Monday, August 1, 2016 10:02 PM

Answers

  • We use this feature in the office quite regularly and I can confidently say "it has bugs".

    Please remove autounlock and add it again.

    If that does not work and you are not willling to decrypt and re-encrypt your removable drives and retry, you could use a workaround. A batch that uses the recovery key like this:

    manage-bde -unlock x: -rp 2153162-21312313-3123... (the 48-digit-recovery key)

    x: would be the drive letter. If the drive letter changes, well, add another line

    manage-bde -unlock y: -rp 2153162-21312313-3123...


    • Edited by Ronald Schilf Tuesday, August 2, 2016 1:26 PM
    • Marked as answer by Fra881 Wednesday, August 3, 2016 11:09 PM
    Tuesday, August 2, 2016 1:26 PM

All replies

  • We use this feature in the office quite regularly and I can confidently say "it has bugs".

    Please remove autounlock and add it again.

    If that does not work and you are not willling to decrypt and re-encrypt your removable drives and retry, you could use a workaround. A batch that uses the recovery key like this:

    manage-bde -unlock x: -rp 2153162-21312313-3123... (the 48-digit-recovery key)

    x: would be the drive letter. If the drive letter changes, well, add another line

    manage-bde -unlock y: -rp 2153162-21312313-3123...


    • Edited by Ronald Schilf Tuesday, August 2, 2016 1:26 PM
    • Marked as answer by Fra881 Wednesday, August 3, 2016 11:09 PM
    Tuesday, August 2, 2016 1:26 PM
  • I tried many times to remove and add auto unlock but it does nothing.

    Given that there seems to be no other option, I created the batch and scheduled to run on log on. Works brilliantly, thanks, however it opens the two hdd in explorer every time I log on (because that's what bitlocker does when you unlock a disk).

    Is there a way to avoid the root folders opening every time I turn on the pc? I couldn't find an option to disable in bitlocker settings.

    Tuesday, August 2, 2016 7:06 PM
  • There is a way.

    Setup a scheduled task with that command and have it run with system credentials (user: system).

    As trigger, choose "at logon of every user" or "at logon of yourdom\you". Tested that, no popups.

    Tuesday, August 2, 2016 9:05 PM
  • I tried that but it still opens the popups at log on.

    I now have "at logon of every user" (before I had the alternative yourdom\you) and under security options "when running the task, use the following user account: SYSTEM".

    Thursday, August 4, 2016 10:19 AM
  • As long as you use "system", it would work with any sort of trigger without a popup.
    Thursday, August 4, 2016 3:35 PM
  • If I understood correctly and you mean to have under security options "when running the task, use the following user account: SYSTEM" then I am indeed using "system" credentials but I am still getting the popups at logon..

    Thursday, August 4, 2016 4:45 PM
  • Strange. Here, it does not pop up but just works.
    Monday, August 8, 2016 11:14 AM
  • I cannot find any decent words to describe Microsoft attitude on this thread. I have Windows 10 Pro with all updates but still, 3 out of 9 drives are not being unlocked automatically. And their number increase over the time. Bitlocker is marketed as a 'strong point of Windows' but it needs lots of improvements.

    About your answer, Ronald, yes - it might work and I will use it just because decrypting 4 volumes of 10TB each will take ages (no exaggeration here!) but you reduce the security level of your system by having the recovery keys stored in clear text in the startup script. By the way - if you do not want to have pop-ups, make it machine startup script instead of user logon script.

    No comments from Microsoft?!! I worked for them for a while but I never let questions unanswered... ;)


    George Costache

    Wednesday, September 19, 2018 5:03 PM
  • Hi George.

    "you reduce the security level of your system by having the recovery keys stored in clear text in the startup script. By the way - if you do not want to have pop-ups, make it machine startup script instead of user logon script." - I did not advise to use a startup or logon script (logon script would not work, by the way as it does not run elevated). Use a scheduled task with a suitable trigger and put the batch somewhere where only entitled people have access - that should be clear.

    Thursday, September 20, 2018 6:14 AM