Or, Auto unlock
BitLocker encrypted drive without login in windows
Or, BitLocker encrypted drive auto unlock at
system reboot
Or, How to setup
system startup script in windows machines
Description: If
the OS disk is encrypted using BitLocker encryption, TPM PIN or password is
prompted at the startup screen and once your enter the required authentication
details you are in. The problem is when you have other Data drive encrypted
with BitLocker encryption and you have set some password to it.
Every time system reboots, you have to enter the BitLocker
password for that drive manually or if you have enable auto unlock, the drive gets
unlocked as soon as you logged in with your windows credentials.
Imagine the situation where you have enabled BitLocker
encryption for Data drive on some servers and those servers got rebooted due to
failures or any reason. Friends, even if you have enabled Auto unlock at that
drive, it will not, because to get this auto unlock work, someone should login
in the windows.
Scenario: I have
a Server, Windows Server 2012 R2 and there are two Drives in this server (C:\OS-Disk and D:\Data-Disk). Data Disk
is encrypted with BitLocker encryption (with password) and Auto unlock option
is enabled on this disk.
Whenever there is a system reboot, I have to login in the
server to make sure the drive is auto unlocked and data is accessible. This
auto unlock feature is user based and the user for which this drive is not
having auto unlock feature enabled, has to enter the BitLocker password manually
to unlock the drive after login in to the windows.
Problem: Whenever
there is System failure and no one is available to login in the server, the
encrypted data drive will not be unlocked and encrypted data will remain
inaccessible until someone login in the server.
Solution/Workaround: We
can use manage-bde cmdlets to auto
unlock the encrypted data drives at system startup. Even if no one login in the
server, the drives will be auto unlocked at the startup whether it is system’s
expected or unexpected reboot.
Prerequisites:
BitLocker Recover Key (exported at the time of encryption)
Administrative access on the server to edit the local system
policy (gpedit.msc)
Basic knowledge of local group policy and .bat script.
Steps: Setting up
Data drive auto unlock at system startup
Open the BitLocker
Recovery Key file and Copy the 48
digit Recover Key.
Prepare a small .bat script using below command
example:
@echooff
manage-bde -unlock D: -RecoveryPassword xxxxxx-xxxxxx- xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
Copy and paste the above command in a Notepad file and Save as .bat
file extension. Replace the XXXXXX 48 digit key with your Encrypted data
drive’s Recovery key.
In my case, the script file name is test.bat
Now, on the local server, go to Run and open gpedit.msc
Navigate to Computer
Configuration > Windows Settings >
Scripts (Startup/Shutdown) >
Click on Startup
From the Startup properties,
Click on Show Files…
This will take you to the path where startup scripts are
kept. Paste your .bat file here. In
my case, its test.bat.
Now again go to the Startup
Properties > Click on Add
Click Browse
Select the .bat script file > Click on Open > Click OK
Click on Apply >
Click on OK
That’s it, you are done with setting up auto unlocking of
BitLocker encrypted data drive.
Updated: 07/05/2017
Updated: 07/05/2017
IMP Note: Even if bitlocker is not
supported for bootable OS disk of Virtual Machines, you can still encrypt the
bootable drives of VMs if you wish to. Startup password prompt and drive
unlocking functionalities will be same as hardware based computers.
Cheers, please write me back if you have any query or
feedback on this.