windows:misc:lock_bitlocker

Action disabled: index

Locking Bitlocker encrypted drive (from Windows Explorer and Console)

The problem with Bitlocker is that it doesn't lock your drive when you lock your workstation. I don't know for you, but I find that disturbing because someone can log in with another user and access the said drive. What I find even more problematic that there isn't any 'obvious' way to lock the drive - at least not in the way it can be unlocked.Here is how you can lock your drive manually (Lets assume that the drive letter is P):

From console:

manage-bde -lock P:

To be able to do it from Windows Explorer, you will need to create a cmd script called LockBDE.cmd that will lock the drive for you, and locate it somewhere where every user can read it. I have placed mine into c:\Users

@echo off
setLocal EnableDelayedExpansion
set _DRIVE_=%1
IF !_DRIVE_:~-1!==\ SET _DRIVE_=!_DRIVE_:~0,-1!
c:\users\nircmdc.exe elevate C:\Windows\System32\manage-bde.exe -lock %_DRIVE_%

Now merge this into registry:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Drive\shell\Lock Drive]
"AppliesTo"="(System.Volume.BitLockerProtection:=System.Volume.BitLockerProtection#On OR System.Volume.BitLockerProtection:=System.Volume.BitLockerProtection#Encrypting OR System.Volume.BitLockerProtection:=System.Volume.BitLockerProtection#Suspended) AND System.Volume.BitLockerCanChangePassphraseByProxy:=System.StructuredQueryType.Boolean#True"
"MultiSelectModel"="Single"
@=""

[HKEY_CLASSES_ROOT\Drive\shell\Lock Drive\command]
@="C:\\Users\\LockBDE.cmd %1"

Since there is no straight way to elevate the console (manage-bde requires elevated mode), you will have to relay on the third party tool NirCmd (NirSoft website). It's a free tool and there are 32bit and 64bit binaries available. Download it and copy the nircmdc.exe in the same folder where the CMD script will be located in (or somewhere in path).

Viola! When you right click on the unlocked Bitlocker encrypted drive, you have a new option that allows you to lock the drive!

Granted, it is not pretty to see two console windows, but it works!

Enter your comment:
96 -6᠎ = 
 
  • windows/misc/lock_bitlocker.txt
  • Last modified: 2019/10/31 09:06
  • by 127.0.0.1