Turn On or Off Auto-unlock for BitLocker Drive in Windows 10  

Page 2 of 3 FirstFirst 123 LastLast

  1. Posts : 4
    Windows 10
       #10

    Hi there,

    I'm quite new to BitLocker and would like some clarification. My case is that I have my precious data on an SD card on my laptop (can't afford a bigger SSD right now) which I carry around. I wanna make sure that if the SD card is taken out or the laptop is stolen the data on it can't be accessed.

    I've currently enabled BitLocker on both my system SSD drive and on my SD card but, as mentioned here before, it's asking for the password of the SD card every time which is kinda annoying.

    What does this 'auto-unlock' exactly mean? That the only thing stopping someone from getting access is my Windows login password? How safe is this? Can it be brute-forced or something?
    Last edited by bolshed; 06 Dec 2020 at 06:44. Reason: grammar
      My Computer


  2. Posts : 61,558
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #11

    bolshed said:
    Hi there,

    I'm quite new to BitLocker and would like some clarification. My case is that I have my precious data on an SD card on my laptop (can't afford a bigger SSD right now) which I carry around. I wanna make sure that if the SD card is taken out or the laptop is stolen the data on it can't be accessed.

    I've currently enabled BitLocker on both my system SSD drive and on my SD card but, as mentioned here before, it's asking for the password of the SD card every time which is kinda annoying.

    What does this 'auto-unlock' exactly mean? That the only thing stopping someone from getting access is my Windows login password? How safe is this? Can it be brute-forced or something?
    Hello bolshed,

    An encrypted drive is pretty hard to almost impossible to access without having its BitLocker password, recovery key, startup key, etc... to unlock it.

    Turning on auto-unlock for a BitLocker encrypted drive on a computer will have the drive automatically unlock whenever you connect it to the specific computer. It will not automatically unlock the drive on a different computer unless you turn on auto-unlock for the drive on each computer you want it to auto-unlock on.
      My Computers


  3. Posts : 4
    Windows 10
       #12

    Brink said:
    Hello bolshed,

    An encrypted drive is pretty hard to almost impossible to access without having its BitLocker password, recovery key, startup key, etc... to unlock it.

    Turning on auto-unlock for a BitLocker encrypted drive on a computer will have the drive automatically unlock whenever you connect it to the specific computer. It will not automatically unlock the drive on a different computer unless you turn on auto-unlock for the drive on each computer you want it to auto-unlock on.
    Оk but what happens if the whole laptop is stolen? I've heard about HID brute-forces and stuff. Can they do that if they have the computer and the time?

    Some people suggest using the TPM + PIN option. What's the difference with the Win login password? Is this the same as Windows Hello PIN? Many things one should consider when needing encryption.

    I'm confused.
      My Computer


  4. Posts : 61,558
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #13

    bolshed said:
    Оk but what happens if the whole laptop is stolen? I've heard about HID brute-forces and stuff. Can they do that if they have the computer and the time?

    Some people suggest using the TPM + PIN option. What's the difference with the Win login password? Is this the same as Windows Hello PIN? Many things one should consider when needing encryption.

    I'm confused.
    Using TPM + PIN to unlock your encrypted OS drive makes it more secure than just using TPM.

    The BitLocker encrypted OS drive gets unlocked at startup using whichever BitLocker unlock method you selected for it, then you are able to sign in to Windows 10 using whichever Windows sign in option you selected.

    The Windows sign in password and PIN are just two different sign-in options you can use to sign in to Windows 10. Either one will do, and their strength depends on how many numbers, letters, and characters and such you use for it. The longer and more random the stronger it will be.

    Basically, it's all about adding layers of security to make it harder if not impossible for your average person or thief to gain access. The stronger the better. A professional with the skills and equipment (ex: CIA, NSA, etc...), may eventually be able to break BitLocker with enough time, but this is not a likely concern.
      My Computers


  5. Posts : 4
    Windows 10
       #14

    Brink said:
    Using TPM + PIN to unlock your encrypted OS drive makes it more secure than just using TPM.
    The BitLocker encrypted OS drive gets unlocked at startup using whichever BitLocker unlock method you selected for it, then you are able to sign in to Windows 10 using whichever Windows sign in option you selected.
    The Windows sign in password and PIN are just two different sign-in options you can use to sign in to Windows 10. Either one will do, and their strength depends on how many numbers, letters, and characters and such you use for it. The longer and more random the stronger it will be.
    Basically, it's all about adding layers of security to make it harder if not impossible for your average person or thief to gain access. The stronger the better. A professional with the skills and equipment (ex: CIA, NSA, etc...), may eventually be able to break BitLocker with enough time, but this is not a likely concern.
    Thanks a lot for your answer!

    One last question - is it then OK to make only a pre-boot PIN for BitLocker and remove Win password/PIN ? Writing 2 passwords every time will be a hassle. Тhe pre-boot PIN looks safe enough to me.
      My Computer


  6. Posts : 61,558
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #15

    bolshed said:
    Thanks a lot for your answer!

    One last question - is it then OK to make only a pre-boot PIN for BitLocker and remove Win password/PIN ? Writing 2 passwords every time will be a hassle. Тhe pre-boot PIN looks safe enough to me.
    It's all just a matter of personal preference for what you want to use. The more you have, the more secure, but it can be more of a hassle to sign in to each all the time.
      My Computers


  7. Posts : 3
    Windows 10 Pro
       #16

    Unable to get Auto-Unlock to work using Option #2


    Unable to get Auto-Unlock to work using Option #2 (link below)
    Let me first explain the setup
    1. We are using SID Protector of devices on the domain
    2. We are setting up a local GPO for off-network machines (they run mult-million dollar machines and are never exposed to the network or internet)
    3. Because we need CMMC compliance we pretty much have to lock down the machines as much as possible. As such we have Hid BitLocker Control Panel, Removed Format from the Context Menu, and removed all other BitLocker related menu items from the Context Menu EXCEPT "HKEY_CLASSES_ROOT --> Drive --> shell --> unlock-bde"

    When we plug an encrypted drive into the computer it prompts for the password (that we cannot give to end users) and we check the box "Automatically unlock ....", but it does not work. We tried is a user and as a local admin and it never saves. These machines are used by multiple people with multiple flash drives so I need this to work with all users

    Below is a list of all the Registry changes made, but I already tested one by one and combinations and none of these make a difference:
    HKEY_CLASSES_ROOT --> Drive --> shell --> change-passphrase
    HKEY_CLASSES_ROOT --> Drive --> shell --> change-pin
    HKEY_CLASSES_ROOT --> Drive --> shell --> encrypt-bde
    HKEY_CLASSES_ROOT --> Drive --> shell --> encrypt-bde-elev
    HKEY_CLASSES_ROOT --> Drive --> shell --> manage-bde
    HKEY_CLASSES_ROOT --> Drive --> shell --> resume-bde
    HKEY_CLASSES_ROOT --> Drive --> shell --> resume-bde-elev

    Any ideas would be appreciated.

    P.S. Also any idea how to exclude drives from a specific vendorid so we can make BitLocker Encryption required?

    Turn On or Off Auto-unlock for BitLocker Drive in Windows 10
      My Computer


  8. Posts : 61,558
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #17

    Hello @42SolutionsGrp, and welcome to Ten Forums.

    Have you already tried any of the other options to turn on auto-unlock for a flash drive to see if one may work instead?

    You can configure BitLocker to automatically unlock volumes that do not host an operating system. After a user unlocks the operating system volume, BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.

    I'm not aware of a policy to require BitLocker, but you can deny write access to drives not protected by BitLocker if that may help.

      My Computers


  9. Posts : 3
    Windows 10 Pro
       #18

    Unable to get Auto-Unlock to work using Option #2


    This is for USB Flash Drives and USB External Hard Drives. I cannot use the other methods because I have to lock down control panel and context menu. In theory if I could figure out how to exclude Local Admins from these GPO/RegEdit changes that would work, but so far I cannot find a way to do that either.

    So basically when a user or admin puts in a USB Flash Drive it prompts for the Password, I enter the password and then check the "Automatically Unlock ...." and it behaves like it has done so, but then I a new logon, restart, etc... I have to enter the password again. This will not work because the whole concept of locking this down is that I cannot give end users the password. When we allocate a new drive our IT team will go to the machine, put in the password and configure Auto Unlock. Just need to get it to work

    I already reviewed the other links and they do not solve this one.

    Any other ideas?

    Thanks
      My Computer


  10. Posts : 61,558
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #19

    42SolutionsGrp said:
    This is for USB Flash Drives and USB External Hard Drives. I cannot use the other methods because I have to lock down control panel and context menu. In theory if I could figure out how to exclude Local Admins from these GPO/RegEdit changes that would work, but so far I cannot find a way to do that either.

    So basically when a user or admin puts in a USB Flash Drive it prompts for the Password, I enter the password and then check the "Automatically Unlock ...." and it behaves like it has done so, but then I a new logon, restart, etc... I have to enter the password again. This will not work because the whole concept of locking this down is that I cannot give end users the password. When we allocate a new drive our IT team will go to the machine, put in the password and configure Auto Unlock. Just need to get it to work

    I already reviewed the other links and they do not solve this one.

    Any other ideas?

    Thanks
    I did some testing on my system with a removable USB flash drive with auto-unlock turned on for it.

    I had to check auto-unlock for each user on the computer. Once check for a user, the USB would auto-unlock on the computer each time I connected the USB. Even after a sign out/in or restart.

    It's user and computer specific.

    I haven't seen a way to allow the drive to auto-unlock on the computer no matter which user. It has to be checked for each user first.
      My Computers


 

Tutorial Categories

Turn On or Off Auto-unlock for BitLocker Drive in Windows 10 Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:36.
Find Us




Windows 10 Forums