Or, Auto unlock
BitLocker encrypted drive without login in windows
Or, BitLocker encrypted drive auto unlock at
system reboot
Or, How to setup
system startup script in windows machines
Description: If
the OS disk is encrypted using BitLocker encryption, TPM PIN or password is
prompted at the startup screen and once your enter the required authentication
details you are in. The problem is when you have other Data drive encrypted
with BitLocker encryption and you have set some password to it.
Every time system reboots, you have to enter the BitLocker
password for that drive manually or if you have enable auto unlock, the drive gets
unlocked as soon as you logged in with your windows credentials.
Imagine the situation where you have enabled BitLocker
encryption for Data drive on some servers and those servers got rebooted due to
failures or any reason. Friends, even if you have enabled Auto unlock at that
drive, it will not, because to get this auto unlock work, someone should login
in the windows.
Scenario: I have
a Server, Windows Server 2012 R2 and there are two Drives in this server (C:\OS-Disk and D:\Data-Disk). Data Disk
is encrypted with BitLocker encryption (with password) and Auto unlock option
is enabled on this disk.
Whenever there is a system reboot, I have to login in the
server to make sure the drive is auto unlocked and data is accessible. This
auto unlock feature is user based and the user for which this drive is not
having auto unlock feature enabled, has to enter the BitLocker password manually
to unlock the drive after login in to the windows.
Problem: Whenever
there is System failure and no one is available to login in the server, the
encrypted data drive will not be unlocked and encrypted data will remain
inaccessible until someone login in the server.
Solution/Workaround: We
can use manage-bde cmdlets to auto
unlock the encrypted data drives at system startup. Even if no one login in the
server, the drives will be auto unlocked at the startup whether it is system’s
expected or unexpected reboot.
Prerequisites:
BitLocker Recover Key (exported at the time of encryption)
Administrative access on the server to edit the local system
policy (gpedit.msc)
Basic knowledge of local group policy and .bat script.
Steps: Setting up
Data drive auto unlock at system startup
Open the BitLocker
Recovery Key file and Copy the 48
digit Recover Key.
Prepare a small .bat script using below command
example:
@echooff
manage-bde -unlock D: -RecoveryPassword xxxxxx-xxxxxx- xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
Copy and paste the above command in a Notepad file and Save as .bat
file extension. Replace the XXXXXX 48 digit key with your Encrypted data
drive’s Recovery key.
In my case, the script file name is test.bat
Now, on the local server, go to Run and open gpedit.msc
Navigate to Computer
Configuration > Windows Settings >
Scripts (Startup/Shutdown) >
Click on Startup
From the Startup properties,
Click on Show Files…
This will take you to the path where startup scripts are
kept. Paste your .bat file here. In
my case, its test.bat.
Now again go to the Startup
Properties > Click on Add
Click Browse
Select the .bat script file > Click on Open > Click OK
Click on Apply >
Click on OK
That’s it, you are done with setting up auto unlocking of
BitLocker encrypted data drive.
Updated: 07/05/2017
Updated: 07/05/2017
IMP Note: Even if bitlocker is not
supported for bootable OS disk of Virtual Machines, you can still encrypt the
bootable drives of VMs if you wish to. Startup password prompt and drive
unlocking functionalities will be same as hardware based computers.
Cheers, please write me back if you have any query or
feedback on this.
thank you for this post!! i've taken your idea and made it more secure by using autoit to create .exe that in turn runs upon startup via gpedit/startup scripts :)
ReplyDeleteThats Great..Thanks a lot for your feedback, input and improvement efforts.. Appreciate it..
DeleteSorry, but this info is wrong. Auto-unlock is per system, not per user. Other protectors (SID-protectors) are per user, but not this one. Simply use autounlock (yes, we use it ourselves that way on multiple server 2012 R2). No need for action.
ReplyDeleteHey Bernd, Thanks for writing me back.. Auto unlock is per system only for OS drive (not for data drive e.g D:\). Encrypted data drive auto-unlock works per user profile.
ReplyDeleteIn this article, the workaround is explained about Data drive (D:\ Or E:\ etc..).
If the data disk is encrypted and a user-1 have set the drive setting to auto unlock, whenever server reboot take place the encrypted data drive will be unlocked only when the user-1 will login to the server. And this practice has to be repeated on every reboot.
Imagine, if User-1 is not available when server reboot was done?? Yes, available User-2 will try to login in to the server but the data drive will not be auto unlocked. User-2 will have to unlock it manually and then set the drive auto-unlock option for his/her profile as well so that from next reboot onward user-2 can also enjoy the auto-unlocking of encrypted data drive.
Just my re-assurance I have tested this function in lab again and it is exactly what I explained in this article.
Thanks Again for your valuable inputs..
Auto-unlock functions as Bernd says only if the OS disk is encrypted. On physical hardware which contains a TPM module, it works without user intervention - in virtual machines (specifically ESX, hyper-v allows the TPM module to be emulated) you cannot encrypt the OS disk without requiring a USB key or password entered on boot.
ReplyDeleteUsing Bitlocker to encrypt the data drive without the system drive encrypted requires the workaround described here.
Hi Nathan, Thanks for your valuable inputs.
DeleteI know this is an old thread, but here goes. Seems Microsoft has changed something to make this more difficult. the manage-bde command works perfectly to unlock the drive...but something else happens when run in a startup script that removes access for users! So users still can't access the file shares without admin intervention.
ReplyDeleteHi, Thanks for your valuable inputs.
DeleteI just tried this method with Windows 10 #2004 and it's still working. I am storing my userprofile on the additional fixed disk I have to unlock via script. The fixed drive is also shared.
ReplyDeleteI can access the share via network when system shows login prompt and of course login itself works.
Hi, Thanks for your valuable inputs.
DeleteQuick update: I think I get what comment from 2020-06-02 experienced. Using the script isn't really reliable. while I was testing yesterday, it worked all the time... when I started the system today the drive was locked when I tried to logon.
DeleteI extended the script to add some logging and try to do it in a loop with 3 attempts.
Wondering if it is possible that async execution could get into the way. In my case I am using a single workstation without a domain but it's possible that Windows 10 allows login even when computer policies (including startup scripts) haven't returned yet. Maybe I'll have to force non-async mode (http://blogs.technet.com/b/askds/archive/2010/03/23/group-policy-script-processing-behavior.aspx).
Final Update:
DeleteI found the problem!
Windows 10 (including corresponding server version) got a feature called "FastBoot" (or "fast startup" or "Hiberboot"). When this is enabled (default), the system will not really shutdown. Instead it will go into hibernate for session 0. Thus on next power on, it's basically resuming in which case it doesn't execute any computer startup script.
In addition, startup scripts are considered deprecated, see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-startup-script-is-dead/ba-p/257831
However, I tried to do the same using Task Scheduler with "on startup" trigger and it's also not firing (I guess for the same reason).
So I ended up with disabling "fast boot".
Great, Thanks for the update!
DeleteSO Im going to store a file containing the plaintext recovery key on the same system thats encrypted? Why even bother encrypting in the first place?
ReplyDeleteThis is just scenarios where folks keeps on struggling a lot, may be the systems they have are secured using other means like firewall, DLP, AV, etc... but when it comes to dealing with encryption, it becomes very difficult to handle the scenarios as described above in the article.
DeleteThanks for writing in!
Happy Reading and Sharing!
Yes, my thought exactly!
ReplyDeleteThe Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking for a volume protected by BitLocker Disk Encryption.
ReplyDeletehttps://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlockerautounlock?view=windowsserver2019-ps
I know this is an old post and but thanks for this article since it pointed me in the right direction. In "my" scenario, I needed to encrypt a fixed drive that a network "client" was supposed to access to read live video recording data. Even though the fixed drive was set up to auto-unlock, the client could not retrieve any data unless I logged on to the server. The safest solution I found was to grant "Log on as a service" access rights to the Windows user used to sign in from the network client. So, in my case, no need for plaintext recovery key stored locally in a script.
ReplyDeleteThanks a lot your inputs and feedback. Happy reading.
Deletethank you very much. I struggled with this problem for days and finally found the answer from you.
ReplyDeleteGlad to know this. Thanks for taking time and writing your feedback!
DeleteI want to auto unlock the OS disk(C:) on startup in windows 10 on vm. Does this work for that too.
ReplyDeleteOn startup in Windows 10 (Geneartion-1) on a virtual machine, the OS disk (C:) is automatically unlocked, but the password is still asked for, I would appreciate any input in resolving this issue that has been pending for a long time.
ReplyDeleteThank you for making this post. I use it for USB drives that need to be unlocked automatically, for Windows Server Backup and similar (Bitlocker to Go). I found that using a fixed data drive allows you to auto-unlock it without using a script. The host OS is Server 2022, group policy has been set to allow automatic unlock of the OS drive by a USB key (the BEK file is store on a USB key). A new data drive was added to the server and encrypted by "manage-bde -on -UsedSpaceOnly w: -recoverykey c: -recoverypassword" and "manage-bde -autounlock -enable w:". This enabled Bitlocker on the W:\ drive and saved the BEK key file to the root of the C:\ drive (which is also encrypted by Bitlocker). A network share was created on the W:\ drive and the server was rebooted several times, the share worked without having to logon. Note: this won't work for a USB or removable drive, I tested it and the share only worked after logging in again (for USB drives), it seems Bitlocker 2 Go handles things differently. Thank you again for the original post, it was a source of hope when trying to find solutions.
ReplyDelete