Sunday 9 April 2017

System startup script to auto unlock BitLocker encrypted drive

Or, Auto unlock BitLocker encrypted drive without login in windows
Or, BitLocker encrypted drive auto unlock at system reboot
Or, How to setup system startup script in windows machines

Description: If the OS disk is encrypted using BitLocker encryption, TPM PIN or password is prompted at the startup screen and once your enter the required authentication details you are in. The problem is when you have other Data drive encrypted with BitLocker encryption and you have set some password to it.

Every time system reboots, you have to enter the BitLocker password for that drive manually or if you have enable auto unlock, the drive gets unlocked as soon as you logged in with your windows credentials.

Imagine the situation where you have enabled BitLocker encryption for Data drive on some servers and those servers got rebooted due to failures or any reason. Friends, even if you have enabled Auto unlock at that drive, it will not, because to get this auto unlock work, someone should login in the windows.

Scenario: I have a Server, Windows Server 2012 R2 and there are two Drives in this server (C:\OS-Disk and D:\Data-Disk). Data Disk is encrypted with BitLocker encryption (with password) and Auto unlock option is enabled on this disk.

Whenever there is a system reboot, I have to login in the server to make sure the drive is auto unlocked and data is accessible. This auto unlock feature is user based and the user for which this drive is not having auto unlock feature enabled, has to enter the BitLocker password manually to unlock the drive after login in to the windows.

Problem: Whenever there is System failure and no one is available to login in the server, the encrypted data drive will not be unlocked and encrypted data will remain inaccessible until someone login in the server.

Solution/Workaround: We can use manage-bde cmdlets to auto unlock the encrypted data drives at system startup. Even if no one login in the server, the drives will be auto unlocked at the startup whether it is system’s expected or unexpected reboot.

BitLocker Recover Key (exported at the time of encryption)
Administrative access on the server to edit the local system policy (gpedit.msc)
Basic knowledge of local group policy and .bat script.

Steps: Setting up Data drive auto unlock at system startup

Open the BitLocker Recovery Key file and Copy the 48 digit Recover Key.
Prepare a small .bat script using below command example:

manage-bde -unlock D: -RecoveryPassword xxxxxx-xxxxxx- xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

Copy and paste the above command in a Notepad file and Save as .bat file extension. Replace the XXXXXX 48 digit key with your Encrypted data drive’s Recovery key.
In my case, the script file name is test.bat

Now, on the local server, go to Run and open gpedit.msc

Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Click on Startup

From the Startup properties, Click on Show Files…

This will take you to the path where startup scripts are kept. Paste your .bat file here. In my case, its test.bat.

Now again go to the Startup Properties > Click on Add

Click Browse

Select the .bat script file > Click on Open > Click OK

Click on Apply > Click on OK

That’s it, you are done with setting up auto unlocking of BitLocker encrypted data drive.

Updated: 07/05/2017
IMP Note: Even if bitlocker is not supported for bootable OS disk of Virtual Machines, you can still encrypt the bootable drives of VMs if you wish to. Startup password prompt and drive unlocking functionalities will be same as hardware based computers.

Cheers, please write me back if you have any query or feedback on this.


  1. thank you for this post!! i've taken your idea and made it more secure by using autoit to create .exe that in turn runs upon startup via gpedit/startup scripts :)

    1. Thats Great..Thanks a lot for your feedback, input and improvement efforts.. Appreciate it..

  2. Sorry, but this info is wrong. Auto-unlock is per system, not per user. Other protectors (SID-protectors) are per user, but not this one. Simply use autounlock (yes, we use it ourselves that way on multiple server 2012 R2). No need for action.

  3. Hey Bernd, Thanks for writing me back.. Auto unlock is per system only for OS drive (not for data drive e.g D:\). Encrypted data drive auto-unlock works per user profile.

    In this article, the workaround is explained about Data drive (D:\ Or E:\ etc..).

    If the data disk is encrypted and a user-1 have set the drive setting to auto unlock, whenever server reboot take place the encrypted data drive will be unlocked only when the user-1 will login to the server. And this practice has to be repeated on every reboot.

    Imagine, if User-1 is not available when server reboot was done?? Yes, available User-2 will try to login in to the server but the data drive will not be auto unlocked. User-2 will have to unlock it manually and then set the drive auto-unlock option for his/her profile as well so that from next reboot onward user-2 can also enjoy the auto-unlocking of encrypted data drive.

    Just my re-assurance I have tested this function in lab again and it is exactly what I explained in this article.

    Thanks Again for your valuable inputs..

  4. Auto-unlock functions as Bernd says only if the OS disk is encrypted. On physical hardware which contains a TPM module, it works without user intervention - in virtual machines (specifically ESX, hyper-v allows the TPM module to be emulated) you cannot encrypt the OS disk without requiring a USB key or password entered on boot.

    Using Bitlocker to encrypt the data drive without the system drive encrypted requires the workaround described here.

  5. I know this is an old thread, but here goes. Seems Microsoft has changed something to make this more difficult. the manage-bde command works perfectly to unlock the drive...but something else happens when run in a startup script that removes access for users! So users still can't access the file shares without admin intervention.

  6. I just tried this method with Windows 10 #2004 and it's still working. I am storing my userprofile on the additional fixed disk I have to unlock via script. The fixed drive is also shared.

    I can access the share via network when system shows login prompt and of course login itself works.

    1. Hi, Thanks for your valuable inputs.

    2. Quick update: I think I get what comment from 2020-06-02 experienced. Using the script isn't really reliable. while I was testing yesterday, it worked all the time... when I started the system today the drive was locked when I tried to logon.

      I extended the script to add some logging and try to do it in a loop with 3 attempts.

      Wondering if it is possible that async execution could get into the way. In my case I am using a single workstation without a domain but it's possible that Windows 10 allows login even when computer policies (including startup scripts) haven't returned yet. Maybe I'll have to force non-async mode (

    3. Final Update:

      I found the problem!

      Windows 10 (including corresponding server version) got a feature called "FastBoot" (or "fast startup" or "Hiberboot"). When this is enabled (default), the system will not really shutdown. Instead it will go into hibernate for session 0. Thus on next power on, it's basically resuming in which case it doesn't execute any computer startup script.

      In addition, startup scripts are considered deprecated, see

      However, I tried to do the same using Task Scheduler with "on startup" trigger and it's also not firing (I guess for the same reason).

      So I ended up with disabling "fast boot".

    4. Great, Thanks for the update!

  7. SO Im going to store a file containing the plaintext recovery key on the same system thats encrypted? Why even bother encrypting in the first place?

    1. This is just scenarios where folks keeps on struggling a lot, may be the systems they have are secured using other means like firewall, DLP, AV, etc... but when it comes to dealing with encryption, it becomes very difficult to handle the scenarios as described above in the article.

      Thanks for writing in!

      Happy Reading and Sharing!

  8. The Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking for a volume protected by BitLocker Disk Encryption.

  9. I know this is an old post and but thanks for this article since it pointed me in the right direction. In "my" scenario, I needed to encrypt a fixed drive that a network "client" was supposed to access to read live video recording data. Even though the fixed drive was set up to auto-unlock, the client could not retrieve any data unless I logged on to the server. The safest solution I found was to grant "Log on as a service" access rights to the Windows user used to sign in from the network client. So, in my case, no need for plaintext recovery key stored locally in a script.

    1. Thanks a lot your inputs and feedback. Happy reading.

  10. thank you very much. I struggled with this problem for days and finally found the answer from you.

    1. Glad to know this. Thanks for taking time and writing your feedback!

  11. I want to auto unlock the OS disk(C:) on startup in windows 10 on vm. Does this work for that too.

  12. On startup in Windows 10 (Geneartion-1) on a virtual machine, the OS disk (C:) is automatically unlocked, but the password is still asked for, I would appreciate any input in resolving this issue that has been pending for a long time.

  13. Thank you for making this post. I use it for USB drives that need to be unlocked automatically, for Windows Server Backup and similar (Bitlocker to Go). I found that using a fixed data drive allows you to auto-unlock it without using a script. The host OS is Server 2022, group policy has been set to allow automatic unlock of the OS drive by a USB key (the BEK file is store on a USB key). A new data drive was added to the server and encrypted by "manage-bde -on -UsedSpaceOnly w: -recoverykey c: -recoverypassword" and "manage-bde -autounlock -enable w:". This enabled Bitlocker on the W:\ drive and saved the BEK key file to the root of the C:\ drive (which is also encrypted by Bitlocker). A network share was created on the W:\ drive and the server was rebooted several times, the share worked without having to logon. Note: this won't work for a USB or removable drive, I tested it and the share only worked after logging in again (for USB drives), it seems Bitlocker 2 Go handles things differently. Thank you again for the original post, it was a source of hope when trying to find solutions.