- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
- Set Chrome, Firefox and Edge as default mail client (mailto handlers) - Mon, Mar 6 2023
With BitLocker To Go in particular, passwords and recovery keys are generally used for unlocking volumes. Microsoft refers to such mechanisms as protectors. By default, you have to enter the password every time you connect an encrypted USB stick to a PC.
In a secure environment, this is usually not necessary, so users can be freed from this tedious task. This can be achieved by using alternative protectors.
Automatically unlocking the drive on certain PCs
If you want a disk to be unlocked on specific computers without prompting, use the Auto-Unlock feature. It adds an External Key protector to the drive, and the key is stored in the registry.
Users can activate this feature themselves by opening the details of the relevant drive in the Control Panel under System and Security > BitLocker Drive Encryption and clicking Turn on auto-unlock. The menu entry then changes to Disable automatic unlocking, so that the behavior of BitLocker can be reset by clicking the link again.
Enable automatic unlocking via the control panel
Alternatively, the option to activate automatic unlocking can be found in the password dialog that opens after the encrypted disk is accessed. There, you can select the appropriate checkbox under More options.
Users can configure automatic unlocking when they are prompted for the password
While this setting can be changed on the GUI without administrative rights, its counterparts on the command line require elevated privileges. That applies to:
manage-bde -autounlock -enable <drive letter>
as well as the PowerShell cmdlet:
Enable-BitLockerAutoUnlock -MountPoint <drive letter>
(For the reverse operation, you call manage-bde -autounlock -disable or Disable-BitLockerAutoUnlock.)
This disparate behavior leads to inconsistencies. For example, neither
manage-bde -status <drive letter>
nor
Get-BitLockerVolume -MountPoint <drive letter>
report automatic unlocking as active if you have enabled it as a standard user via the GUI, because it's enabled separately for every account.
The command line tools do not recognize that a standard user has enabled automatic unlocking
As admin, you can display the automatic unlock configured by other users with this command:
manage-bde -protectors -get <drive letter> -Type ExternalKey
When using Get-BitLockerVolume, you can find the respective keys within the property KeyProtector.
For this purpose, the tools read this entry in the hive current user:
HKCU:\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock
The ID of the protector corresponds to the key in the registry database
The result of the commands mentioned above will not show you which key belongs to which user. The property AutoUnlockProtector is only True for your own key.
Unlocking the drive for AD users
If you want to unlock encrypted removable data drives automatically for certain users independently of the computer they are logged on to, use the protector type AdAccountOrGroup.
In this way, you can provide users with a personalized USB stick, which only they are allowed to read and which they do not have to unlock by entering passwords as long as they are logged on to the domain.However, users cannot decrypt such drives on their private devices, at least as long as they do not have access to another mechanism, such as passwords or recovery keys.
Adding such a protector requires elevated privileges, so usually the IT department provides such devices. The tools for this job are, again, manage-bde or PowerShell:
manage-bde -protectors -add <drive letter> -sid DOMAIN\user
PowerShell's BitLocker module provides the following cmdlet for this purpose:
Add-BitLockerKeyProtector -MountPoint <drive letter> ` -ADAccountOrGroup "DOMAIN\user" -ADAccountOrGroupProtector
Adding SID Protector via PowerShell
If you use PowerShell to enable BitLocker, you can pass Enable-BitLocker the two parameters ADAccountOrGroup and ADAccount¬OrGroupProtector.
As you can see from their names, the command accepts both individual AD accounts and groups. Theoretically, this could be used to prepare some media for DOMAIN\Domain users in such a way that all users in the company can work with the media, but the data remains inaccessible to everyone as soon as they are not logged in to the domain.
If you want to know if such a protector has been configured for a volume, this is how you find out:
Get-BitLockerVolume <drive letter> | select -ExpandProperty KeyProtector | where KeyProtectorType -eq AdAccountOrGroup
Alternatively
manage-bde -protectors -get <drive letter> -Type Identity
will also display them under the section All Key Protectors.
Display SID protectors Identity type with the help of manage bde
You can remove them with the help of Remove-BitLockerKeyProtector.
Conclusion
Microsoft offers two convenience features for BitLocker, Auto-Unlock and SID Protector, which free users in secure environments from having to type passwords over and over again. The former unlocks encrypted volumes for the current user on a specific machine, the latter for selected users or groups on all PCs as long as they are logged on to the domain.
These features not only provide a better user experience when unlocking drives, they also enable IT departments to deploy protected volumes in the enterprise while completely shielding users from BitLocker.
Subscribe to 4sysops newsletter!
Unfortunately, the implementation of these functions leaves some wishes unfulfilled. For example, there are inconsistencies between the CLI tools and the GUI option in the control panel for Auto Unlock. In addition, neither can be managed via group policies; instead, admins have to rely on PowerShell or manage-bde.exe for central management.
Can you use both SID Protector and Auto-Unlock on the same USB Stick? For example, we have an environment where some computers are on the domain and we want to use SID Protector on those computers. But then we have other computers that control machinery that are not on the domain or the internet and we want to use Auto-Unlock. Users need to be able to transfer files to/from a computer on the domain and a computer connected to machinery. Can a single USB Stick/External Hard Drive support both methods simultaneously, or do we have to touch all computers and configure Auto-Unlock for the same USB Stick/External Hard Drive?