none
How to re-lock a drive with bitlocker RRS feed

  • Question

  • I am using windows 7 bitlocker to encrypt a secondary hard drive. So I unlock the drive with the password successfully. Now how do I relock the drive? The only way I can see is to restart the machine. What bothers me is that even if you log off, and log in as another user the drive is still unlocked! Isnt there a menu item or option to re-lock it?
    -mi
    Friday, May 29, 2009 3:29 PM

Answers

  • Hi,

    I did several tests on my side, and I think this is a potential security bug. I will report it to our internal team.

    On the other hand, I do not have any workaround for this issue. Please temporarily restart the computer every time for security.

    Thank you for your understanding.

    Monday, June 1, 2009 10:24 AM

All replies

  • Hi,

    I did several tests on my side, and I think this is a potential security bug. I will report it to our internal team.

    On the other hand, I do not have any workaround for this issue. Please temporarily restart the computer every time for security.

    Thank you for your understanding.

    Monday, June 1, 2009 10:24 AM
  • Any updates on this?
    • Proposed as answer by jonnypommy Saturday, December 17, 2011 10:34 PM
    Wednesday, June 3, 2009 3:10 PM
  • I too also need an update on this!
    Friday, July 3, 2009 6:29 AM
  • Also looking for an answer on this.

    "this is a potential security bug" - I'd say definitely a security bug!

    An automatic relock timer might be a nice feature also.
    Tuesday, July 7, 2009 9:45 AM
  • You can achieve this through the command line interface

    e.g. If P: were my private drive, I can re-lock it with the following command (run the cmd shell with Administrative rights though)

    To re-lock a Bitlocker drive on Windows 7 :

       manage-bde -lock P:

    Enjoy
    Monday, August 10, 2009 1:37 PM
  • Thanks for this, Robin.  At least I can add a script and pin it to the Start Menu.

    This is still an issue in the RTM; I'm a little disappointed it made it through to release.
    Saturday, August 22, 2009 11:20 AM
  • I made a .cmd-file to re-lock the drives:

    From a cmd-prompt, type the following:

    C:\Windows\system32>copy con lockdrive.cmd
    manage-bde -lock l:
    manage-bde -lock k:
    ^Z     [press CTRL-Z]
            1 file(s) copied.

    Replace l: and/or k: to the corresponding drive letter on your computer.

    Make a shortcut to the lockdrive.cmd-file, and check the "run as administrator" check box.


    Rgs,
    Inge

    Saturday, August 29, 2009 2:05 PM
  • I have the same problem. By the way, I am using Windows 7 RTM 64-bit. I also through group policy increased the cipher strength to "AES 256-bit with Diffuser".

    I encrypted a couple USB hard drives with Bitlocker To Go. I noticed another security issue on top of the one already discovered:

    When a Bitlocker To Go disk is connected, initially it is locked with the volume label hidden (as it should be). When you relock the drive using "manage-bde -lock drive:" the volume label is still showing.

    Edit: I have been testing this further by unlocking, relocking, and disconnecting the drive multiple times and I noticed that in "Computer" it eventually stopped showing a volume label for this drive when it is unlocked (until I restarted my computer). I am not sure why. But when I used the "dir" command it did show the proper volume label. This might be a bug in the "Computer" display of volume labels, it might not be re-reading the volume labels for drives properly.

    When a Bitlocker drive is relocked, it should be in the same state as if it were freshly connected. Also, logging off should automatically relock drives, or at least have an option in the Bitlocker control panel and/or group policy for that.

    Regarding the original poster's issue: Logically, one would think right-clicking the unlocked drive and choosing "Manage Bitlocker" would have an option to lock the drive.

    Sunday, August 30, 2009 2:34 PM
  • this was the best answer ever;)
    -mi
    Tuesday, September 1, 2009 6:54 PM
  • Check my post here on how to do the 'Lock Drive' right-click menu entry:

    http://jonamafun.blogspot.com/2009/11/how-to-re-lock-bitlocker-drive.html
    Friday, November 13, 2009 12:11 PM
  • @jonamafun - followed exactly but getting "The filename,directory name, or volume label syntax is incorrect"
    any suggestions?
    Monday, November 16, 2009 6:22 PM
  • Try running the batch file from Windows Explorer to see if it actually locks your drive first.

    What did you name your .bat file and where is it located? Make sure you put the full path to the file at step 6.

    This is what my step 6 looks like:





    Tuesday, November 17, 2009 12:36 PM
  • This could work, but batch file needs to be run as administrator, don't know how to set it yet..

    Wednesday, November 18, 2009 10:15 AM
  • I followed all the steps, but get an error popup:

    "The filename, directory name, or volume label syntax is incorrect"

    The .bat file it points to works fine.

    my runas\command\ looks just like the screen shot.

    Any ideas?
    Sunday, November 22, 2009 10:50 AM
  • I followed all the steps, but get an error popup:

    "The filename, directory name, or volume label syntax is incorrect"

    The .bat file it points to works fine.

    my runas\command\ looks just like the screen shot.

    Any ideas?

    How do you add a screen shot to a post here?  I could show you what my reg keys look like.

    I did discover that I could make a shortcut to lock.bat; and in the advanced shortcut properties it lets you set "Run as Administrator".

    So ideally, the reg key setting could point to the shortcut.

    Thanks for any help...
    Sunday, November 22, 2009 11:07 AM
  • Me, too; ever get a solution?

    Thanks
    Sunday, November 22, 2009 11:09 AM
  • i used HTML tags to embed the image here...

    Have you tried testing with UAC turned off? I neglected to mention that I'm running without UAC (shhh!) so that may have something to do with it.
    Sunday, November 22, 2009 2:26 PM
  • Hi Guys,

    I have made the following change to the script proposed. And it is working well..

    1. Install the elevation powertoy - needs on UAC boxes.

    http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx

    2. Setup regsitry as so.


    [HKEY_CLASSES_ROOT\Drive\shell\lock-dbe]
    "AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5) "
    @="Lock BitLocker Volume"
    "HasLUAShield"=""
    "MultiSelectModel"="Single"

    [HKEY_CLASSES_ROOT\Drive\shell\lock-dbe-rudi\command]
    @="elevate.cmd manage-bde.exe -lock G:"

    3. If any one has the solution to change G:\ to G: though the use of %1. Even better.
    Sunday, January 3, 2010 11:11 AM
  • Something I would like is to be able to give the locked drive a name other than the plain jane default name -- that is, a name that would show up when it IS locked.
    Sunday, January 10, 2010 4:35 AM
  • [HKEY_CLASSES_ROOT\Drive\shell\relock-bde\command]
    @="manage-bde.exe -lock -forcedismount \"%1\""

    In the regirstry the \ will be removed but the quotes will remain.  This will pass the drive without the extra backslash, but for some reason it is producing an extra " mark.  So now, I get an invalid syntax error....  ' "D:"" was not understood.'   So its a step closer, but not exactly there yet. 

    Thursday, April 8, 2010 8:45 AM
  • To add "Lock Drive..." to the Explorer right-click context menu...

    Apply this registry update:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Drive\shell\Lock Drive...\command]
    @=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\
      00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2e,00,76,00,\
      62,00,73,00,20,00,2d,00,6c,00,6f,00,63,00,6b,00,20,00,2d,00,66,00,6f,00,72,\
      00,63,00,65,00,64,00,69,00,73,00,6d,00,6f,00,75,00,6e,00,74,00,20,00,25,00,\
      31,00,00,00

    And create and save the following script as C:\Windows\System32\manage-bde.vbs

    Set oWSH = CreateObject("Wscript.Shell")
    Args = ""
    Last = Wscript.Arguments.Count - 1
    For i = 0 To Last
     Args = Args & " " & Wscript.Arguments.Item(i)
    Next
    Args = Replace(Args,"\","")
    RetVal = oWSH.Run("manage-bde.exe" & Args,0,True)
    Wscript.Quit RetVal

     

    • Proposed as answer by okshef Monday, July 19, 2010 11:42 AM
    Friday, April 9, 2010 3:32 AM
  • Hi Robinson,

    Did Microsoft ever get back to you to say if they were going to include this in an update rather than the below .bat and registry edits that people are making?

    Thanks.

    Saturday, April 24, 2010 1:25 PM
  • I just made a shortcut icon on my desktop, put the command "manage-bde -lock d:" and named it as LOCK.

    Thanks Robin...

    Rgrds

    kal-el of krypton

     

     

     

    Tuesday, July 13, 2010 2:18 PM
  • To add "Lock Drive..." to the Explorer right-click context menu...

    Apply this registry update:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Drive\shell\Lock Drive...\command]
    @=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\
      00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2e,00,76,00,\
      62,00,73,00,20,00,2d,00,6c,00,6f,00,63,00,6b,00,20,00,2d,00,66,00,6f,00,72,\
      00,63,00,65,00,64,00,69,00,73,00,6d,00,6f,00,75,00,6e,00,74,00,20,00,25,00,\
      31,00,00,00

    And create and save the following script as C:\Windows\System32\manage-bde.vbs

    Set oWSH = CreateObject("Wscript.Shell")
    Args = ""
    Last = Wscript.Arguments.Count - 1
    For i = 0 To Last
     Args = Args & " " & Wscript.Arguments.Item(i)
    Next
    Args = Replace(Args,"\","")
    RetVal = oWSH.Run("manage-bde.exe" & Args,0,True)
    Wscript.Quit RetVal

     

    Doesn't work. 

     Also, why use the hex value for the registry setting instead of the ASCII value which is much easier to read?    "wscript.exe manage-bde.vbs -lock -forcedismount %1"

     

    Monday, July 19, 2010 7:05 PM
  • Hi,

    I did several tests on my side, and I think this is a potential security bug. I will report it to our internal team.

    On the other hand, I do not have any workaround for this issue. Please temporarily restart the computer every time for security.

    Thank you for your understanding.


    I have to admit, this is not a security bug with Bitlocker. Bitlockers intent was not to protect drives on a system that was logged in and the end-user negelectfully walk away. It was my impression that in the event of the laptops theft, Bitlocker would prevent the culprit of theft from reading the data on this drive in it's offline condition. Who leaves their laptop logged in and walks away?

    If they leave it logged in and walk away, in a company where security is important, this person should have been penalized and given a position of less responsibility for neglecting to protect the information that makes his job a value to the company. It's because of this type of neglect that the end-users don't learn their lesson or at least receive a drill on security by faking it by setting the end-user up.

    The end user with the mobile device needs to understand their importance to keep the information confidential if it's important enough to be encrypted...

    A password policy should be enough prevent re-accessing the system. In the event of struggling with the "dumb password" the assailant may reset the computer and try to re-enter, unaware of BitLocker encryption's application.

    I'm sorry but I fail to see where the bug is. Security analysts already know this... educating the end-user and making the end-user aware of the consequences is the important part of keeping the laptop secured. Bitlocker does it's job... make the end-user do theirs. All you need to do as the IT staff is make sure that you disclose this information in technical writting when you make it policy.

    Give the staff education on keeping the device secure when you give them the device. Bitlocker by nature is decrypted as soon as the password is entered... there's no flaw. It's by design... If accessing it past bitlocker is your concern, apply smartcards with Encrypted File System certificates.


    Steve Kline - MCITP
    This posting is "as is" without warranties and confers no rights.

     

    • Proposed as answer by Steve Kline Wednesday, July 21, 2010 6:48 PM
    • Edited by Steve Kline Saturday, July 24, 2010 2:49 PM
    Monday, July 19, 2010 7:53 PM
  • I have to admit, this is not a security bug with Bitlocker. Bitlockers intent was not to protect drives on a system that was logged in and negelectfully walk away. It was my impression that in the event of the laptops theft, Bitlocker would prevent the culprit of theft from reading the data on this drive in it's offline condition. Who leaves their laptop logged in and walks away?


    The concern here is not about walking away from you laptop. 

    Rather, computer security intrusions can happen at any time.  If you are booted-up and connected to the internet, there is the potential that a hacker could gain access.   

    If you have sensitive information on a drive that you are concerned enough to bit-lock it, it should remained lock whenever not in use in order to lower the chances for any type of hackor to gain access to it.  

    Thus, the ability to relock a drive (although not a security bug) is sorely needed functionality in order to have a more complete set of security barries to would be data theives.    And the fact is, you can relock it...  just not very easily.

    Monday, July 19, 2010 9:06 PM
  • hex values here are called EXPANDOs, expandos are used in the Registry whenever the file path includes a dynamic part, like an environment variable. Manage-bde.exe does NOT work on Windows Server 2008 R2. I too would like a relock solution without rebooting for Windows Server 2008 R2. :)
    Tuesday, July 20, 2010 4:15 AM
  • hex values here are called EXPANDOs, expandos are used in the Registry whenever the file path includes a dynamic part, like an environment variable. Manage-bde.exe does NOT work on Windows Server 2008 R2. I too would like a relock solution without rebooting for Windows Server 2008 R2. :)

    Thanks.  But, I'm nstill not sure I understand why posting Hex is better than ASCII.  You can still use ASCII characters in registry to pass environment variables.  You just need to make sure its you're using a REG_EXPAND_SZ value.

    I'm curious about the Windows Server 2008 R2 too now.  A good solution would be the same for both OS's. 

    Tuesday, July 20, 2010 6:21 AM
  • I made a .cmd-file to re-lock the drives:

    From a cmd-prompt, type the following:

    C:\Windows\system32>copy con lockdrive.cmd
    manage-bde -lock l:
    manage-bde -lock k:
    ^Z     [press CTRL-Z]
            1 file(s) copied.

    Replace l: and/or k: to the corresponding drive letter on your computer.

    Make a shortcut to the lockdrive.cmd-file, and check the "run as administrator" check box.


    Rgs,
    Inge

     

    That works great, thank you. Some points to clarify for those of us not so advanced in computing. Just to point out I am running Windows 7 Ultimate with UAC turned off. I'm not sure if this will work in other versions or with UAC on, I think so but perhaps someone will confirm this.

    To turn off UAC, go to control panel, select 'User Accounts' then your account name, 'Change user account control settings' and select 'Never notify' and reboot. Next navigate to 'Control panel / Folder options', click the 'View' tab and move the radio button to 'Show hidden files, folders and drives', then uncheck the 'Hide extensions for known file types' box, Apply, OK and close Control panel. 

    1. It is easier to go to your windows folder, find the System32 folder, put your mouse cursor on it, hold the shift key, right click and select 'Open command prompt here'. That way when the DOS window opens you only need to type "copy con lockdrive.cmd" (without the quotes) and press Enter.

    2. Type "manage-bde -lock #:" again without the quotes and replace the "#" with the letter of your bitlocker drive as Inge stated. If you have another drive to lock then repeat this line with your other drive letter and press Enter.

    3. Hold 'Ctrl' on your keyboard and press the 'Z' key once, '^Z' will be displayed, press Enter on your keyboard and '1 file(s) copied' will be displayed.

    4. Type "exit" (no quotes) to close the DOS window.

    5. Navigate into this folder 'C:\Windows\System32' and look for the file 'lockdrive.cmd', right click it and select 'create shortcut' a new file called 'lockdrive.cmd shortcut' will appear below it. Right click the shortcut file and select 'Cut'.

    6. Navigate to 'C:\Users\*YOUR USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs' right click in a blank area of the window where your Accessories and Administrive Tools are (being sure not to highlight one of the other files) and select 'Paste'.

    7. Right click the ''lockdrive.cmd shortcut' and select 'Rename' and just call it 'Lockdrive.cmd' and press Enter, then close all windows.

    8. Click 'Start', select 'All Programs' and look for your 'lockdrive.cmd' file. Put your mouse on it, left click and hold the button down. Drag it down to the 'Back' selection which was 'All Programs' and wait for the first Start Menu to appear, move your mouse up to a blank area and release the button. If done correctly you should now have 'lockfile.cmd' on your main Start menu. Click it to lock your drive.

    9. Navigate to 'Control panel / Folder options' and on the 'General' tab select 'Restore Defaults' and Apply. Select the 'View' tab and select 'Restore Defaults' and Apply. Click 'OK' and you’re done.

    Thanks to Inge for this short and perfect work-around.

    Phill Thorne.

     

    • Proposed as answer by Phill Thorne Wednesday, July 21, 2010 2:04 AM
    Wednesday, July 21, 2010 1:55 AM
  • Thanks to everyone on here and all the contributions I was finally able to peice this together and now have a fully working and simple solution.

    1.  Open notepad and copy the following text into it, then save as "relock_bde.reg" 

    Windows Registry Editor Version 5.00
    [HKEY_CLASSES_ROOT\Drive\shell\relock-bde]
    "AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5)"
    @="Relock drive..."
    "HasLUAShield"=""
    "MultiSelectModel"="Single"
    [HKEY_CLASSES_ROOT\Drive\shell\relock-bde\command]
    @=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\
      00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2d,00,6c,00,\
      6f,00,63,00,6b,00,2e,00,76,00,62,00,73,00,20,00,25,00,31,00,00,00 

     

    2.  Double click on the relock_bde.reg to add the information into the registry.

    3.  Open notepad and copy the following text into it.  Then save as "manage-bde-lock.vbs", and copy to c:\windows\system32

    Args = ""
    Last = Wscript.Arguments.Count - 1
    For i = 0 To Last
     Args = Args & " " & Wscript.Arguments.Item(i)
    Next
    Args = Replace(Args,":\",":")
    CreateObject("Shell.Application").ShellExecute "manage-bde.exe", "-lock -forcedismount " & Args, "", "runas", 1

     

    Thanks heitbaum and Les Ferch.  You got me 90% of the way there, just needed to figure out how to elevate a script from within itself.

     

    • Proposed as answer by brent413 Thursday, October 7, 2010 10:25 AM
    • Edited by brent413 Thursday, October 7, 2010 9:01 PM robustness of script
    Thursday, October 7, 2010 10:25 AM
  • For the computer dummies out there (like me) I found this web page very useful - it's got step by step advice with pictures!

    http://www.techkings.org/tweaks-tips-windows/11415-re-locking-drive-using-bitlocker-windows-7-a.html

    What I find galling is that over a year ago the moderator found this problem to be "a potential security bug" worthy of reporting to some internal team, or other.  

    The problem with forums like this is that, whilst helping people, encourages Microsoft to do nothing at all - "Let the idiots sort it themselves"!!!

    Wednesday, November 3, 2010 2:59 PM
  • Another potential security issue is that someone listed in the local admin group can access the drive in it's unlocked state.  However, they are denied access with no option to unlock it when connecting over the network.  It would be nice if the drive had the option to require that anyone trying to access it needs to know the password.

    Wednesday, March 9, 2011 3:45 PM
  • Hey Brent413,

    I have followed these intructions to the letter and I get a "Windows Script Host" error. "Can not find script file "C:\Windows\system32\manage-bde-lock.vbs"" and the file has clearly been placed in the System32 folder.

     


    • Edited by Henry2012 Friday, December 9, 2011 5:27 PM
    Friday, December 9, 2011 5:25 PM
  • use this.

    in notepad type:

    manage-bde X: -lock

    X = Drive Letter!!!!!

    now save the notepad file as a .bat file.

    when you open the file, run as admin! 

    and now it should be locked!!!

    Saturday, December 17, 2011 10:34 PM
  • One of the Most useful post found on this topic , how to relock the encrypted drive without restarting ...Only 2 Simple steps....

    visit

    http://www.spreadbytes.com/2012/01/how-to-lock-bitlocker-encrypted-drive.html



    • Edited by Nameer MNM Tuesday, January 10, 2012 6:03 AM
    Tuesday, January 10, 2012 5:49 AM
  • What happened Mr. Zhang? Did you report it to your so called internal team? And did they even give a damn to what you told them? :P

    Microsoft products: lavishly packed and advertised, yet useless stolen crap.

    Even after almost three years of development and testing there is no solution to this silly bug. Of course they keep updating with tons of useless updates.

    Tuesday, January 24, 2012 11:50 AM
  • That worked like a charm, Thanks you so much!
    Wednesday, January 30, 2013 4:34 PM
  • open notepad write this code:

    manage-bde -lock D:                   

                          // D is the corresponding drive name (use your own drive letter instead).

    save the file as "lock.bat"

    close the notepad and run the created file as administrator or create a shortcut to

    desktop> properties> shortcut> advance> check the "run as admin" < close all.

    and now double click the shortcut it will lock the drive anytime you want.

    • Proposed as answer by nazifmal Monday, April 8, 2013 8:54 AM
    Monday, April 8, 2013 8:52 AM
  • Open text editor and enter the below code, change 'D' to the specific drive you wish to lock. Then save as where ever you want (I personally save them in the drive itself) and save it as "filename.bat", quotes included; filename can be whatever you want it to be of course.

    EX: "Lock.bat"

    manage-bde -lock -forcedismount D:

    This method does not require admin privileges.

    • Edited by Thomas Casey Sunday, August 11, 2013 10:05 PM
    • Proposed as answer by anupam_luv Monday, September 9, 2013 11:27 AM
    • Unproposed as answer by anupam_luv Monday, September 9, 2013 11:27 AM
    • Proposed as answer by dvdepps812 Tuesday, April 29, 2014 11:31 PM
    Sunday, August 11, 2013 10:03 PM
  • It does require admin rights to run the command.

    This command is of no use for an end user who does not have an admin rights on his machine, and this is a bug from Microsoft even though people say that its a problem between the keyboard and chair in case a person leaves his machine logged on. But even a person leaves his machine locked, another domain user can logged on to his machine and see the content of the unlocked bitlocker drive. So there should be some feature to easily lock the drive in the same way as its easily unlocked.


    Thanks Chandan

    Thursday, December 5, 2013 10:38 AM
  • I know that this thread is old and has been necro'd and all of that, but I just wanted to add to it. I'm fine with the batch files suggested to re-lock the drive, but the problem I'm running into is that once I use it, I can't get back into the re-locked drive until I log out and log back in at least. It just says "Access is denied" and, like I said, won't ask for my password until a relog or reboot. Once I do that, it asks for my password and lets me in just fine. Anybody else experiencing this problem or have a work-around?

    BTW, if I use the manage-bde -status command after I have re-locked the drive, it says "ERROR: An attempt to access a required resource was denied."

    • Edited by dblizard Friday, December 20, 2013 10:26 PM Added more details
    Friday, December 20, 2013 10:17 PM
  • Hi,

    By using following command you can lock the drive, your can also create script so you just have to click it if you want to lock the drive:

    manage-bde -lock -forcedismount driveletter:

    Thanks

    Salman Ali

    www.salmanaliblog.com

    Thursday, December 26, 2013 9:28 AM
  • Go to Control Panel -> Manage Bit locker and unlock your D drive using your password.

    Back up your recovery key to a file. Get the Recovery Key (Ex: 240536-642752-211409-491690-520026-693407-016863-529159) saved in that file.

    use the following command to automate the process of unlocking: manage-bde -unlock D: -recoverypassword 240536-642752-211409-491690-520026-693407-016863-529159

    automate process of locking : manage-bde -lock D: -forceDismount

    You can create .bat files by using notepad and save as xyx.bat files. where xyx is file name.


    Thanks & Regards, Vishal

    Wednesday, May 7, 2014 2:42 AM
  • The simple answer here is to power off the external drive.... when you power it back on it is locked again.
    Friday, July 4, 2014 3:31 PM
  • Just search on google for a file Add-Lock-Drive-Bitlocker download it and run the registry file Add-Lock-Drive and an option will appear click on Ok after then copy Lock-bde in your folder path C:\windows\system32 the problem will be solved 100% I tried and enjoy bitlocker for my privacy. 

    Sunday, April 19, 2015 12:43 PM
  • what is the command to type into the cmd shell to achieve the relock?

    Saturday, May 28, 2016 5:54 PM
  • Yeah! same problem since I upgraded to Anniversary edition.  Bitlocker worked just fine in the free version of Win 10    Why should we have to do your guy's job with scripts and Cmd lines????????????,

    Thursday, August 18, 2016 4:40 PM
  • why the fuck should I have to do their fticking JOB!!!!!!!!! this shit just pisses me right right fucking off, the damn thing encrypts just fine, what did they get fricking lazy' or was it on purpose????????.

    Thursday, August 18, 2016 4:45 PM
  • Thank you very much for helping me a lot.

    Btw, code "manage-bde -lock drivename: " should be changed to "manage-bde -lock -forcedismount drivename: " in windows 10

    Monday, October 17, 2016 12:41 PM
  • thanks alot. this is very helpful
    Wednesday, November 16, 2016 5:11 AM
  • Command prompt works fine to lock/unlock a drive.   BUT Explorer has a bug and will not display the contents of the 'unlocked' drive.   This is a reproducible bug. 

    My Drive D: is under the control of BitLocker using Win10 and Surface Pro 2. 
    To produce the bug.
    For the locked drive [D:], in administrator Command Prompt mode, enter "manage-bde -unlock D: -Password"  This gives a command line request for my password. I enter the password and D: is unlocked and its contents accessible by commands such as Dir D: as expected.
    Bugs.
    Viewing the drive in Explorer, the Icon has a gold closed Lock which is incorrect. 
    Double click D: results in the following 3 line message; 
        "BitLocker D:  
        "The drive protected by Bit Locker 
        "Drive encryption is already unlocked.  
    BUT Explorer fails to give access to the contents of D: which is incorrect.

    The Right-click menu for D: includes "Unlock Drive.." in bold.  Clicking on this menu entry triggers the same 3 line message as above.

    Friday, December 30, 2016 5:36 PM
  • Hey that worked! Thanks. I can't believe you can't just right click and lock it! It's 2017.. I used to use Truecrypt and you'd just unmount it.
    Friday, March 24, 2017 10:44 AM
  • thanks bro , you are great

    Tuesday, July 18, 2017 11:17 PM
  • Thank you jonnypommy...
    this is working fine...
    • Edited by Teja564 Sunday, July 23, 2017 3:09 PM
    Sunday, July 23, 2017 3:08 PM
  • Hi,

    I have read the answers but they were not fully doing for what i required...

    Here what I did to get the drive locked finally every time I left the system:

    1. Open the Run dialog (Windows+R) and type "taskschd.msc".
    2. Select "Create Task..." from the menu. "Dont create Basic Task"
    3. In General name it as "Lock Data Drive" or anything you like , select Run User logged or not with highest privileges  and Click Next.
    4. For "Trigger", select "On Workstation lock" with any user.
    5. For "Actions" "Start a Program" write this >> C:\Windows\System32\manage-bde.exe and in arguments "-lock DriveLetter with : "

    Thats it , every time you left the desk just lock the computer and drive will get locked.

    Regards

    MZK 





    Tuesday, August 29, 2017 7:31 AM
  • This works for a "user lock" but not for a "user sign out" (at least it doesn't on Server 2016). In order to lock the drive when signing out you can use gpedit.msc / User Configuration / Windows Settings / Logoff. It appears it only works with PowerShell Scripts and "Run Windows PowerShell script first" selected. The script e.g. LockDriveE.ps1 contains what others have written in this thread "": manage-bde -lock -forcedismount E:

    Don't panic! Debug it.

    Thursday, February 22, 2018 6:10 AM
  • Open cmd as Administrator

    Use following command: U r done

    manage-bde -lock -ForceDismount X:

    X can D or E or C etc

    Wednesday, March 6, 2019 2:45 PM