Hi, I'm testing Bitlocker on the data (fixed) drives on some Windows 7 Enterprise machines. I don't want to encrypt the System drives. I always want a prompt for authentication to unlock the data drives when they are started. But I noticed that I can enable "Automatically Unlock This Drive on This Computer" for the data drive, and when Windows starts, the drive is available without any user interaction (after the user logs in, of course). According to everything I've read, this option should not be available unless the System drive is also encrypted, which makes sense. I looked everywhere but can't find a solution to this. Anybody have any ideas?

you can remove auto-unlock feature for data drive from your data drive easily. open control panel --> bitlocker encryption --> manage data drive disable auto-unlock. If OS drive is not encrypted then you cannot use auto-unlock feature for data drives. I hope this helps.Manoj Sehgal

Yes, I am aware that I can manually enable and disable it, however I would like that option not to be available. Part of the problem is that my OS drive is NOT encrypted, yet I can still choose auto-unlock for the data drive (and it actually does auto-unlock it). I guess if that worked correctly, that would solve my problem. So maybe the question is, "why am I able to choose auto-unlock even though my OS drive is not encrypted?" Thanks.

As I know there are no options for your purpose.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

What does "As I know there are no options for your purpose" mean? Obviously, if Bitlocker worked correctly, then there IS an option. I want to only encrypt the data drive, and I do not want the option to auto-unlock. This is EXACTLY the behaviour that should occur if my system drive is not encrypted. Manoj's reply is not the solution.... the question still remains, why is Bitlocker providing me with the option to auto-unlock, when my system drive is NOT encrypted?

can you send me out put of these 2 commands. open elevated command prompt and run the below commands. >manage-bde -status c: >manage-bde -protectors -get d: where d is the data drive. As per your original thread, you are using Win 7 Enterprise Edition. Is this correct? Manoj Sehgal

Yes, it is Win 7 Enterprise, 64 bit. Below is the result of those 2 commands. C:\>manage-bde -status c: BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume C: [] [OS Volume] Size: 23.90 GB BitLocker Version: None Conversion Status: Fully Decrypted Percentage Encrypted: 0% Encryption Method: None Protection Status: Protection Off Lock Status: Unlocked Identification Field: None Key Protectors: None Found C:\>manage-bde -protectors -get d: BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume D: [New Volume] All Key Protectors Password: ID: {783F823F-F98E-4FA4-8618-D337478EE7D3} Numerical Password: ID: {1508633E-AD80-4E54-A2E3-B92BDE725D63} Password: 142186-350196-174273-210166-707300-688875-291489-050380 C:\>

Does anybody have any answers / updates to this? Or should I submit a trouble ticket with Microsoft? I have tested this issue on other systems, and it happens 100% of the time. Somebody else somewhere has to be seeing the same thing?

The system response to the two commands gave the answer. >manage-bde -status >manage-bde -protectors -get d: The first response said the cryptovariable was in memory that you were not in protected state. "Ptoection on means the cryptovariable is not exposed and the encrypted data is locked down." The second gave you the cryptovariable and you gave it to us. Had you the executed >manage-bde -enable d: The command would have failed since you had no protectors, e.g., ways to cryptographically protect cryptovariable. Since you do not wnat to encrypt the OS C: drive, you could lock the cryptovariable in a PKI certificate. Then entering the PIN or password would unlock the cryptiovariable and your data volume would be available. This is essentailly the smart card option. Alternatively if you had executed "manage-bde -enable d" the cryptovariable would have been wiped from memory and next time you logged on you would have had to have manually enter the cryptovariable you gave us. Jahn M

The correct answer is that removable devices will always present the option to automatically unlock the volume. Non-removable devices will correctly disable the auto-unlock feature if the system drive is unencrypted. The system(s) were running under VMWare, and by default most devices including the hard drives are hot-plug. Disabling the hot-plug function results in the system seeing the hard drive as a standard, fixed (i.e. non-removable) device, and then Bitlocker functions correctly.