none
BitLocker Drive Encryption >> enable auto unlock after user login to domain for each user with specific password RRS feed

  • Question

  • My first testing on BitLokcer » we need to manual turn on BitLocker on movable Computer/Tablet after joint Domain
    Then I can view BitLocker Recovery of computer object on AD Server
    How can we set auto unlock bitlocker from AD server to specific password for each clients after login to their Computer/Tablet ?
    No need to input password again when they need to access drive C/D
    After login = BitLocker drive is auto unlock for each user with specific password
    Wednesday, March 27, 2019 8:56 AM

Answers

All replies

  • What is possible is:

    A auto-unlock drives other than c: after start (available to any user) or

    B auto-unlock drives other than c: after logon.

    --

    A: manage-bde -autounlock -enable D:

    B: manage-bde -protectors -add d: -sid yourdom\youruser



    Wednesday, March 27, 2019 9:25 AM
  • I would ask here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, March 27, 2019 9:32 AM
    Moderator
  • Hi Ronald,

    Thanks for your response, I've run B command "manage-bde -protectors -add d: -sid yourdom\youruser"

    >> after logon still not solve this problem >> faced this error: The operation cannot be performed because the volume is locked.

    I am a beginner for bitlocker, Please help to explain more idea

    Thanks 

    Tuesday, April 9, 2019 7:45 AM
  • Normally, if this computer belongs to you alone, you should use command A - was that tried? It needs to be executed on an elevated command line and d: needs to be unlocked before you launch the command.

    To elevate a command, right click c:\windows\system32\cmd.exe and select "run as administrator", then launch

    manage-bde -autounlock -enable D:

    Tuesday, April 9, 2019 8:12 AM
  • Be inform that, my PC was join domain and I've tried to run that command manual on cmd as administrator

    still got the same error: 

    C:\Windows\system32>manage-bde -autounlock -enable D:
    BitLocker Drive Encryption: Configuration Tool version 10.0.15063
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.

    ERROR: The operation cannot be performed because the volume is locked.

    C:\Windows\system32> 
    Tuesday, April 9, 2019 8:48 AM
  • As I wrote before:

    t needs to be executed on an elevated command line and d: needs to be unlocked before you launch the command.

    Tuesday, April 9, 2019 8:49 AM
  • is there any way to run command to unlock and follow up command to autounlock ?
    Tuesday, April 9, 2019 8:58 AM
  • Why would you? If you click on the drive, you will be asked for a password and you provide it and it unlocks. Afterwards, setup auto-unlock using the command.

    Of course it works from the command line, too:

    manage-bde -unlock d: -pw

    Tuesday, April 9, 2019 9:00 AM
  • Yes, I have followed your instruction is successful do command to unlock & autounlock >> but -pw need to input password.

    For my purpose. Is there any way to deploy bitlocker password from AD DS to domain users ? after user logon the encrypt drive is autounlock >> to access encrypt drive no need to input pin/password   

    Tuesday, April 9, 2019 9:17 AM
  • After you have launched the autounlock commend, it will no longer ask for a password.

    If your remaining problem is that you would like to include the password in the command that unlocks the drive in the first place, you can use the recovery key for that like this:

    manage-bde -unlock d: -rp 111111-222222-...yourRecoverykey...-666666

    Tuesday, April 9, 2019 9:20 AM
  • So much thanks for your feedback.

    This is the good point if we change -pw to -rp, but in my domain has client computers more than 1k.

    Is there any way to use attribute for -rp, so AD DS can deploy multiple -rp to multiple users in the same domain. 

    Domain User: After Logon >> Autounlock Encrypt Drive

    Local User: After Logon >> Encrypt Drive keep locking 

    Wednesday, April 10, 2019 1:04 AM
  • I already told you how: the SID protectors. Please read my article here: https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html - I wrote it for USB drives, but the same applies to hard drives/SSDs.
    Wednesday, April 10, 2019 6:25 AM
  • I've followed your instruction, result is success

    Thanks you !

    Thursday, May 2, 2019 1:00 AM
  • window 10  home ne prend pas en charge bitlocker

    Stephane Jean

    • Proposed as answer by Stefen Root Thursday, May 2, 2019 2:31 AM
    Thursday, May 2, 2019 2:31 AM
  • @Stephane, he talks about a domain-joined machine, this is not windows home, since the home edition cannot join domains. The question is already solved.

    @Polin: would you mind to mark the comment that helped you as solution?

    Thursday, May 2, 2019 6:46 AM
  • @Ronald, I've follow your command the protectors & sid.

    >manage-bde -on d: -rp –used

    NOTE: Encryption is already complete.

    Bitlocker protect is already on.

    >manage-bde -protectors -add -sid DomainName\Username d:

    Key protectors Added:

    Result is success, but need to do it manually for all clients's computers (for specific computers only).

    It can solve my issue for temporary. Thanks for your support.

    • Edited by Polin Hul Thursday, May 2, 2019 8:40 AM
    Thursday, May 2, 2019 8:39 AM
  • You can add SID-protectors using that command as part of a startup script or deploy a scheduled task that uses the system account in order to do it.

    This needs to be performed carefully: the script needs to look like this:

    manage-bde -protectors -add d: -sid yourdom\domainuserforthisdevice

    "domainuserforthisdevice" needs to be read from a file. So you would have to supply a (text-)file where you have listed user for computernames like this:

    computer1 domainuserforcomputer1

    computer2 domainuserforcomputer2

    ...

    If however you simply wat that the d: drive unlocks for ALL domain users, it is simply this command for all devices:

    manage-bde -protectors -add d: -sid yourdom\domain-users

    Thursday, May 2, 2019 8:59 AM