Bitlocker: Auto-Lock Removable Drives

TL;DR

This guide shows you how to automatically lock Bitlocker encrypted removable drives when you sign out or shut down your computer. This adds an extra layer of security, preventing unauthorised access if your device is lost or stolen.

How to Auto-Lock Removable Drives with Bitlocker

1. Open the Group Policy Editor: Press Windows Key + R, type gpedit.msc and press Enter. This only works on Windows Pro, Enterprise, and Education editions. If you have Windows Home, see section ‘For Windows Home Users’ at the end of this guide.
2. Navigate to Bitlocker settings: In the Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Device Encryption.
3. Enable Auto-Lock: Double-click on the policy setting called “Require additional authentication at startup”.
4. Configure the Policy:
   • Select Enabled.
   • Under ‘Options’, choose how you want to lock the drives:
     • “Allow users to unlock removable drives after restart without re-prompting for credentials” – This is generally *not* recommended as it defeats the purpose of auto-locking. Leave this unchecked.
     • “Configure TPM startup PIN/password protection” – If you use a TPM, configure how often to prompt for the PIN/Password.
5. Apply the Changes: Click Apply and then OK.
6. Force Group Policy Update: Open Command Prompt as an administrator (right-click Start menu, choose ‘Command Prompt (Admin)’ or ‘Windows Terminal (Admin)’). Type gpupdate /force and press Enter. This forces your computer to apply the new policy settings immediately.

   gpupdate /force

7. Test the Auto-Lock: Sign out of your Windows account or shut down your computer. When you restart, Bitlocker should prompt for your recovery key or password before allowing access to any removable drives that are encrypted.

Important Considerations

• Recovery Key: Make sure you have securely stored your Bitlocker recovery key! If you lose it, you will not be able to access the data on your drive. You should have saved this when you initially encrypted the drive.
• TPM: If your computer has a Trusted Platform Module (TPM), Bitlocker can use it for added security. However, if the TPM fails or is disabled, you will still need your recovery key.
• Drive Encryption Status: This setting only applies to drives that are already encrypted with Bitlocker. You’ll need to encrypt any removable drives first before this policy takes effect.

For Windows Home Users

The Group Policy Editor is not available in Windows Home editions. You can achieve similar results using the Registry Editor, but be very careful when editing the registry as incorrect changes can cause system instability.

1. Open Registry Editor: Press Windows Key + R, type regedit and press Enter.
2. Navigate to Bitlocker settings: Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlBitLockerDeviceEncryption.
3. Create a new DWORD (32-bit) Value: Right-click in the right pane, select ‘New’ > ‘DWORD (32-bit) Value’. Name it RequireAdditionalAuthentication.
4. Set the value: Double-click on RequireAdditionalAuthentication and set its value to 1.
5. Restart your computer: Restart your PC for the changes to take effect.

Warning: Editing the registry can be risky. Back up your registry before making any changes. Incorrect modifications may cause system errors.