Bitlocker To Go & Disable Automatically Unlock This Drive
Hi I am happy with the operation of Bitlocker to go with Windows Server 2008R2 and 7 Client however there does not seem to be a Group Policy setting that can be set at 2008R2 Domain level to disable the "Automatically unlock this drive on this computer" feature. Is it supported and possible to disable this function maybe with a reg change? Any help would be great.
June 2nd, 2010 11:08am

Carls233, Check the following technet article "Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)" http://technet.microsoft.com/en-us/library/ee424320(WS.10).aspx This article explains witch GPO you can set to enable a password or the usage of a smart card. To unlock a bitlocker drive (Fixed drive) or a bitlocker to go driver (removable drive). Kind Regards DFTIM me - TWiTTer: @DFTER
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2010 11:43am

Many Thanks for the link however I am still unable to find a way of removing or disabling "Automatically unlock this drive on this computer" In respect of the end users changing this setting for encrypted Bitlocker to go drives. I wish to force the user to have to enter the password information each time. There does not seem to be a GPO to disable this feature
June 2nd, 2010 12:18pm

Sorry Carls, The your question is not so clear to me (still working on my english :)). Do you want to remove the option "Automatically unlock this drive on this computer" on all the computers of your end users? If this is the case you can set the "Control use of BitLocker on removable drives" GPO. You can find this policy in the "Windows Components\BitLocker Drive Encryption\Removable Data Drives" node. Or do you want that the user to use the Bitlocker to GO and every time that they want to unlock there bitlocker to go drive. They need to enter a password. If this is the case see my previous link. Kind Regards DFT IM me - TWiTTer: @DFTER
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2010 1:08pm

Thankyou for your help with this, that is right I simply want to remove that one setting. The settings at this GPO you list removes the entire bitlocker wizard from operation by the user which would seem to stop the users ability to encrypt the drive with bitlocker. Is it possible or supported for the user to access the bitlocker wizard and feature but just prohibit access to "Automatically unlock this drive on this computer" setting? The written corporate policy here requires that users must enter the password each time but this feature is caching the password
June 2nd, 2010 2:42pm

Is no one aware of this feature and if it can be disabled? Is it supported? It seems reasonable to be able to stop bitlocker caching passwords for ecrypted USB drives.Carl Smith MCITP-EA, MCITP-SA, MCTS
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2010 4:20pm

Hi, Based on my research, I find that a new registry key is created after selecting “Automatically unlock on this computer from now on” option to unlock the encrypted drive. The registry key can be located below: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock If you would like to force the user to have to enter the password information each time, you can create a log off script to remove above key at log off or shut down every time. To create a log off script and assign to certain user, please refer to the following article: Assign User Logoff Scripts Hope this helps. Novak
June 4th, 2010 5:19am

Many Thanks for this information it works great, configured the reg key to be deleted via a Group Policy Pref and this does ensure that the user cannot cache passwords. Once again many thanksCarl Smith MCITP-EA, MCITP-SA, MCTS
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 12:58pm

indeed nice work Novak :)IM me - TWiTTer: @DFTER
June 4th, 2010 2:40pm

Hi, Thank you for your reply and I’m glad to hear that the information is useful. In future, if you have any question, please feel free to post it here and we will glad to assist you to troubleshoot the issue. Regards, Novak
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2010 5:27am

Hi: How exactly did you accomplish this? Did you create/name a new gpo go to computer configuration/windows settings/security settings/registry and go to add key and paste this HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock? Thanks
January 4th, 2011 8:38pm

Actually, there is a policy setting that will gray out / disable the ability to unlock removable drives. If you disallow the 256-bit recovery key (in the removable drive policy), this will do the trick. The reason is that when you choose to auto unlock, another key protector of type "External Key" is created. If you disallow this protector, the auto unlock option is disabled.
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 5:30pm

Since the password is stored in and encrypted file, what is the problem of storing it?John Rolstead
May 27th, 2011 1:00am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics