How to re-lock a drive with bitlocker
I am using windows 7 bitlocker to encrypt a secondary hard drive. So I unlock the drive with the password successfully. Now how do I relock the drive? The only way I can see is to restart the machine. What bothers me is that even if you log off, and log in as another user the drive is still unlocked! Isnt there a menu item or option to re-lock it?-mi
May 29th, 2009 6:29pm

Hi, I did several tests on my side, and I think this is a potential security bug. I will report it to our internal team. On the other hand, I do not have any workaround for this issue. Please temporarily restart the computer every time for security. Thank you for your understanding.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2009 1:24pm

Any updates on this?
June 3rd, 2009 6:10pm

I too also need an update on this!
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2009 9:29am

Also looking for an answer on this. "this is a potential security bug" - I'd say definitely a security bug! An automatic relock timer might be a nice feature also.
July 7th, 2009 12:45pm

You can achieve this through the command line interface e.g. If P: were my private drive, I can re-lock it with the following command (run the cmd shell with Administrative rights though) To re-lock a Bitlocker drive on Windows 7 : manage-bde -lock P: Enjoy
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2009 4:37pm

Thanks for this, Robin. At least I can add a script and pin it to the Start Menu. This is still an issue in the RTM; I'm a little disappointed it made it through to release.
August 22nd, 2009 2:20pm

I made a .cmd-file to re-lock the drives: From a cmd-prompt, type the following: C:\Windows\system32>copy con lockdrive.cmd manage-bde -lock l: manage-bde -lock k: ^Z [press CTRL-Z] 1 file(s) copied. Replace l: and/or k: to the corresponding drive letter on your computer. Make a shortcut to the lockdrive.cmd-file, and check the "run as administrator" check box. Rgs, Inge
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2009 5:05pm

I have the same problem. By the way, I am using Windows 7 RTM 64-bit. I also through group policyincreased the cipher strength to "AES 256-bit with Diffuser".I encrypted a couple USB hard drives with Bitlocker To Go. I noticed another security issue on top of the one already discovered:When a Bitlocker To Go disk is connected, initially it is locked with the volume label hidden (as it should be). When you relock the drive using "manage-bde -lock drive:" the volume label is still showing.Edit: I have been testing this further by unlocking, relocking,anddisconnectingthe drive multiple timesand I noticed that in "Computer" it eventuallystopped showing a volume label for this drive when it is unlocked (until I restarted my computer). I am not sure why.But when I used the "dir" command it did show the proper volume label. This might be a bug in the "Computer" display of volume labels, it might not be re-reading the volume labelsfordrivesproperly.When a Bitlocker drive is relocked, it should be in the same state as if it were freshly connected. Also, logging off should automatically relock drives, or at least have an option in the Bitlocker control panel and/or group policyfor that. Regarding the original poster's issue: Logically, one would think right-clicking the unlocked drive and choosing "Manage Bitlocker"would have an option to lock the drive.
August 30th, 2009 5:34pm

this was the best answer ever;)-mi
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2009 9:54pm

Check my post here on how to do the 'Lock Drive' right-click menu entry: http://jonamafun.blogspot.com/2009/11/how-to-re-lock-bitlocker-drive.html
November 13th, 2009 3:11pm

@jonamafun - followed exactly but getting "The filename,directory name, or volume label syntax is incorrect" any suggestions?
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2009 9:22pm

Try running the batch file from Windows Explorer to see if it actually locks your drive first. What did you name your .bat file and where is it located? Make sure you put the full path to the file at step 6. This is what my step 6 looks like:
November 17th, 2009 3:36pm

This could work, but batch file needs to be run as administrator, don't know how to set it yet..
Free Windows Admin Tool Kit Click here and download it now
November 18th, 2009 1:15pm

I followed all the steps, but get an error popup:"The filename, directory name, or volume label syntax is incorrect"The .bat file it points to works fine.my runas\command\ looks just like the screen shot.Any ideas?
November 22nd, 2009 1:50pm

I followed all the steps, but get an error popup:"The filename, directory name, or volume label syntax is incorrect"The .bat file it points to works fine.my runas\command\ looks just like the screen shot.Any ideas?How do you add a screen shot to a post here? I could show you what my reg keys look like.I did discover that I could make a shortcut to lock.bat; and in the advanced shortcut properties it lets you set "Run as Administrator".So ideally, the reg key setting could point to the shortcut.Thanks for any help...
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2009 2:07pm

Me, too; ever get a solution?Thanks
November 22nd, 2009 2:09pm

i used HTML tags to embed the image here... Have you tried testing with UAC turned off? I neglected to mention that I'm running without UAC (shhh!) so that may have something to do with it.
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2009 5:26pm

Hi Guys,I have made the following change to the script proposed. And it is working well..1. Install the elevation powertoy - needs on UAC boxes.http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx2. Setup regsitry as so.[HKEY_CLASSES_ROOT\Drive\shell\lock-dbe]"AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5) "@="Lock BitLocker Volume""HasLUAShield"="""MultiSelectModel"="Single"[HKEY_CLASSES_ROOT\Drive\shell\lock-dbe-rudi\command]@="elevate.cmd manage-bde.exe -lock G:"3. If any one has the solution to change G:\ to G: though the use of %1. Even better.
January 3rd, 2010 2:11pm

Something I would like is to be able to give the locked drive a name other than the plain jane default name -- that is, a name that would show up when it IS locked.
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2010 7:35am

[HKEY_CLASSES_ROOT\Drive\shell\relock-bde\command]@="manage-bde.exe -lock -forcedismount \"%1\"" In the regirstry the \ will be removed but the quotes will remain. This will pass the drive without the extra backslash, but for some reason it is producing an extra " mark. So now, I get an invalid syntax error.... ' "D:"" was not understood.' So its a step closer, but not exactly there yet.
April 8th, 2010 11:45am

To add "Lock Drive..." to the Explorer right-click context menu... Apply this registry update: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Drive\shell\Lock Drive...\command]@=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\ 00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2e,00,76,00,\ 62,00,73,00,20,00,2d,00,6c,00,6f,00,63,00,6b,00,20,00,2d,00,66,00,6f,00,72,\ 00,63,00,65,00,64,00,69,00,73,00,6d,00,6f,00,75,00,6e,00,74,00,20,00,25,00,\ 31,00,00,00 And create and save the following script as C:\Windows\System32\manage-bde.vbs Set oWSH = CreateObject("Wscript.Shell")Args = ""Last = Wscript.Arguments.Count - 1For i = 0 To Last Args = Args & " " & Wscript.Arguments.Item(i)NextArgs = Replace(Args,"\","")RetVal = oWSH.Run("manage-bde.exe" & Args,0,True)Wscript.Quit RetVal
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2010 6:32am

Hi Robinson, Did Microsoft ever get back to you to say if they were going to include this in an update rather than the below .bat and registry edits that people are making? Thanks.
April 24th, 2010 4:25pm

I just made a shortcut icon on my desktop, put the command "manage-bde -lock d:" and named it as LOCK. Thanks Robin... Rgrds kal-el of krypton
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 5:18pm

To add "Lock Drive..." to the Explorer right-click context menu... Apply this registry update: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Drive\shell\Lock Drive...\command] @=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\ 00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2e,00,76,00,\ 62,00,73,00,20,00,2d,00,6c,00,6f,00,63,00,6b,00,20,00,2d,00,66,00,6f,00,72,\ 00,63,00,65,00,64,00,69,00,73,00,6d,00,6f,00,75,00,6e,00,74,00,20,00,25,00,\ 31,00,00,00 And create and save the following script as C:\Windows\System32\manage-bde.vbs Set oWSH = CreateObject("Wscript.Shell") Args = "" Last = Wscript.Arguments.Count - 1 For i = 0 To Last Args = Args & " " & Wscript.Arguments.Item(i) Next Args = Replace(Args,"\","") RetVal = oWSH.Run("manage-bde.exe" & Args,0,True) Wscript.Quit RetVal Doesn't work. Also, why use the hex value for the registry setting instead of the ASCII value which is much easier to read? "wscript.exe manage-bde.vbs -lock -forcedismount %1"
July 19th, 2010 10:05pm

Hi, I did several tests on my side, and I think this is a potential security bug. I will report it to our internal team. On the other hand, I do not have any workaround for this issue. Please temporarily restart the computer every time for security. Thank you for your understanding. I have to admit, this is not a security bug with Bitlocker. Bitlockers intent was not to protect drives on a system that was logged in and the end-user negelectfully walk away. It was my impression that in the event of the laptops theft, Bitlocker would prevent the culprit of theft from reading the data on this drive in it's offline condition. Who leaves their laptop logged in and walks away? If they leave it logged in and walk away, in a company where security is important, this person should have been penalized and given a position of less responsibility for neglecting to protect the information that makes his job a value to the company. It's because of this type of neglect that the end-users don't learn their lesson or at least receive a drill on security by faking it by setting the end-user up. The end user with the mobile device needs to understand their importance to keep the information confidential if it's important enough to be encrypted... A password policy should be enough prevent re-accessing the system. In the event of struggling with the "dumb password" the assailant may reset the computer and try to re-enter, unaware of BitLocker encryption's application. I'm sorry but I fail to see where the bug is. Security analysts already know this... educating the end-user and making the end-user aware of the consequences is the important part of keeping the laptop secured. Bitlocker does it's job... make the end-user do theirs. All you need to do as the IT staff is make sure that you disclose this information in technical writting when you make it policy. Give the staff education on keeping the device secure when you give them the device. Bitlocker by nature is decrypted as soon as the password is entered... there's no flaw. It's by design... If accessing it past bitlocker is your concern, apply smartcards with Encrypted File System certificates. Steve Kline - MCITP This posting is "as is" without warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2010 10:53pm

I have to admit, this is not a security bug with Bitlocker. Bitlockers intent was not to protect drives on a system that was logged in and negelectfully walk away. It was my impression that in the event of the laptops theft, Bitlocker would prevent the culprit of theft from reading the data on this drive in it's offline condition. Who leaves their laptop logged in and walks away? The concern here is not about walking away from you laptop. Rather, computer security intrusions can happen at any time. If you are booted-up and connected to the internet, there is the potential that a hacker could gain access. If you have sensitive information on a drive that you are concerned enough to bit-lock it, it should remained lock whenever not in use in order to lower the chances for any type of hackor to gain access to it. Thus, the ability to relock a drive (although not a security bug) is sorely needed functionality in order to have a more complete set of security barries to would be data theives. And the fact is, you can relock it... just not very easily.
July 20th, 2010 12:06am

hex values here are called EXPANDOs, expandos are used in the Registry whenever the file path includes a dynamic part, like an environment variable. Manage-bde.exe does NOT work on Windows Server 2008 R2. I too would like a relock solution without rebooting for Windows Server 2008 R2. :)
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 7:15am

hex values here are called EXPANDOs, expandos are used in the Registry whenever the file path includes a dynamic part, like an environment variable. Manage-bde.exe does NOT work on Windows Server 2008 R2. I too would like a relock solution without rebooting for Windows Server 2008 R2. :) Thanks. But, I'm nstill not sure I understand why posting Hex is better than ASCII. You can still use ASCII characters in registry to pass environment variables. You just need to make sure its you're using a REG_EXPAND_SZ value. I'm curious about the Windows Server 2008 R2 too now. A good solution would be the same for both OS's.
July 20th, 2010 9:21am

I made a .cmd-file to re-lock the drives: From a cmd-prompt, type the following: C:\Windows\system32>copy con lockdrive.cmd manage-bde -lock l: manage-bde -lock k: ^Z [press CTRL-Z] 1 file(s) copied. Replace l: and/or k: to the corresponding drive letter on your computer. Make a shortcut to the lockdrive.cmd-file, and check the "run as administrator" check box. Rgs, Inge That works great, thank you. Some points to clarify for those of us not so advanced in computing. Just to point out I am running Windows 7 Ultimate with UAC turned off. I'm not sure if this will work in other versions or with UAC on, I think so but perhaps someone will confirm this. To turn off UAC, go to control panel, select 'User Accounts' then your account name, 'Change user account control settings' and select 'Never notify' and reboot. Next navigate to 'Control panel / Folder options', click the 'View' tab and move the radio button to 'Show hidden files, folders and drives', then uncheck the 'Hide extensions for known file types' box, Apply, OK and close Control panel. 1. It is easier to go to your windows folder, find the System32 folder, put your mouse cursor on it, hold the shift key, right click and select 'Open command prompt here'. That way when the DOS window opens you only need to type "copy con lockdrive.cmd" (without the quotes) and press Enter. 2. Type "manage-bde -lock #:" again without the quotes and replace the "#" with the letter of your bitlocker drive as Inge stated. If you have another drive to lock then repeat this line with your other drive letter and press Enter. 3. Hold 'Ctrl' on your keyboard and press the 'Z' key once, '^Z' will be displayed, press Enter on your keyboard and '1 file(s) copied' will be displayed. 4. Type "exit" (no quotes) to close the DOS window. 5. Navigate into this folder 'C:\Windows\System32' and look for the file 'lockdrive.cmd', right click it and select 'create shortcut' a new file called 'lockdrive.cmd shortcut' will appear below it. Right click the shortcut file and select 'Cut'. 6. Navigate to 'C:\Users\*YOUR USERNAME*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs' right click in a blank area of the window where your Accessories and Administrive Tools are (being sure not to highlight one of the other files) and select 'Paste'. 7. Right click the ''lockdrive.cmd shortcut' and select 'Rename' and just call it 'Lockdrive.cmd' and press Enter, then close all windows. 8. Click 'Start', select 'All Programs' and look for your 'lockdrive.cmd' file. Put your mouse on it, left click and hold the button down. Drag it down to the 'Back' selection which was 'All Programs' and wait for the first Start Menu to appear, move your mouse up to a blank area and release the button. If done correctly you should now have 'lockfile.cmd' on your main Start menu. Click it to lock your drive. 9. Navigate to 'Control panel / Folder options' and on the 'General' tab select 'Restore Defaults' and Apply. Select the 'View' tab and select 'Restore Defaults' and Apply. Click 'OK' and you’re done. Thanks to Inge for this short and perfect work-around. Phill Thorne.
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 4:55am

Thanks to everyone on here and all the contributions I was finally able to peice this together and now have a fully working and simple solution. 1. Open notepad and copy the following text into it, then save as "relock_bde.reg" [HKEY_CLASSES_ROOT\Drive\shell\relock-bde] "AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5)" @="Relock drive..." "HasLUAShield"="" "MultiSelectModel"="Single" [HKEY_CLASSES_ROOT\Drive\shell\relock-bde\command] @=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\ 00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2d,00,6c,00,\ 6f,00,63,00,6b,00,2e,00,76,00,62,00,73,00,20,00,2d,00,6c,00,6f,00,63,00,6b,\ 00,20,00,2d,00,66,00,6f,00,72,00,63,00,65,00,64,00,69,00,73,00,6d,00,6f,00,\ 75,00,6e,00,74,00,20,00,25,00,31,00,00,00 2. Double click on the relock_bde.reg to add the information into the registry. 3. Open notepad and copy the following text into it. Then save as "manage-bde-lock.vbs", and copy to c:\windows\system32 Args = "" Last = Wscript.Arguments.Count - 1 For i = 0 To Last Args = Args & " " & Wscript.Arguments.Item(i) Next Args = Replace(Args,"\","") CreateObject("Shell.Application").ShellExecute "manage-bde.exe", Args, "", "runas", 1 Thanks heitbaum and Les Ferch. You got me 90% of the way there, just needed to figure out how to elevate a script from within itself.
October 7th, 2010 6:27am

Thanks to everyone on here and all the contributions I was finally able to peice this together and now have a fully working and simple solution. 1. Open notepad and copy the following text into it, then save as "relock_bde.reg" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Drive\shell\relock-bde]"AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5)"@="Relock drive...""HasLUAShield"="""MultiSelectModel"="Single" [HKEY_CLASSES_ROOT\Drive\shell\relock-bde\command]@=hex(2):77,00,73,00,63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,\ 00,6d,00,61,00,6e,00,61,00,67,00,65,00,2d,00,62,00,64,00,65,00,2d,00,6c,00,\ 6f,00,63,00,6b,00,2e,00,76,00,62,00,73,00,20,00,25,00,31,00,00,00 2. Double click on the relock_bde.reg to add the information into the registry. 3. Open notepad and copy the following text into it. Then save as "manage-bde-lock.vbs", and copy to c:\windows\system32 Args = ""Last = Wscript.Arguments.Count - 1For i = 0 To Last Args = Args & " " & Wscript.Arguments.Item(i)NextArgs = Replace(Args,":\",":")CreateObject("Shell.Application").ShellExecute "manage-bde.exe", "-lock -forcedismount " & Args, "", "runas", 1 Thanks heitbaum and Les Ferch. You got me 90% of the way there, just needed to figure out how to elevate a script from within itself.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 6:27am

For the computer dummies out there (like me) I found this web page very useful - it's got step by step advice with pictures! http://www.techkings.org/tweaks-tips-windows/11415-re-locking-drive-using-bitlocker-windows-7-a.html What I find galling is that over a year ago the moderator found this problem to be "a potential security bug" worthy of reporting to some internal team, or other. The problem with forums like this is that, whilst helping people, encourages Microsoft to do nothing at all - "Let the idiots sort it themselves"!!!
November 3rd, 2010 11:04am

Another potential security issue is that someone listed in the local admin group can access the drive in it's unlocked state. However, they are denied access with no option to unlock it when connecting over the network. It would be nice if the drive had the option to require that anyone trying to access it needs to know the password.
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 10:46am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics