Auto Unlock BitLocked drives

Mr Cheese 1 Reputation point
2023-07-18T10:57:55.0066667+00:00

Hi.

I am just seeking some advice for the following desired implementation for encrypting drives and doing backups.

I have a set of 5 USB external drives, which I have encrypted using BitLocker on a Windows 10 PC.

All these drives have the same drive label, which is required for the backup system I am using.

I have a server, running Server 2019, which I then connect these drives into to use to back up data.

Mostly working as desired, but having an issue at the moment is the Auto UnLock functionality.

I am wanting the server to be not logged in to any user accounts, and have someone connect any of the drives which will then auto unlock so the backup system can write to it.

I have had some success. I have set the backup background service to login with the user account used to store the BitLocked password, and this seemed to work OK.

My issues are when the drives are swapped, I am not seeing them automatically unlock. Although sometimes it seemed to work.

Just seeking some advise on how I may achieve this so can run backups to any of these drives connected without the user being logged in to the desktop and to have the backups auto unlock the drive to write to it.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,067 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,708 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,541 Reputation points
    2023-07-19T12:20:55.5666667+00:00

    Hello Mr Cheese,

    Thank you for your question and for reaching out with your question today.

    To achieve the desired implementation of automatically unlocking BitLocker-encrypted drives on your Server 2019 without the need for a user to be logged in to the desktop, you can use the "Auto Unlock" feature of BitLocker. Auto Unlock allows BitLocker-protected data drives to be automatically unlocked on a computer during system startup without requiring any user intervention.

    Here's a step-by-step guide on how to set up Auto Unlock for your BitLocker-encrypted external drives:

    1. Prepare the BitLocker-protected drives on the Windows 10 PC: Ensure that each of the 5 USB external drives has been properly BitLocker-encrypted on the Windows 10 PC. You mentioned that you have already done this, but make sure that you have enabled BitLocker Auto Unlock for these drives as well. To enable BitLocker Auto Unlock on a drive, follow these steps:
      • Open an elevated Command Prompt (Run as Administrator).
      • Type the following command and press Enter for each of the drives you want to enable Auto Unlock for:
        
             manage-bde -autounlock -enable <drive letter>:
        
        
        Replace <drive letter> with the drive letter of the BitLocker-protected drive.
    2. Export the BitLocker recovery key: On the Windows 10 PC, where the drives were encrypted, make sure to export the BitLocker recovery key for each of the drives. You will need this information to configure the Auto Unlock feature on the Server 2019.
    3. Prepare the Server 2019: Now, on your Server 2019 machine, you'll need to do the following: a. Ensure that the BitLocker feature is installed and enabled on the Server 2019. b. Import the BitLocker recovery keys for each of the encrypted drives from step 2. You can do this using the BitLocker Recovery Password Viewer or the manage-bde command-line tool.
    4. Configure BitLocker Auto Unlock on the Server 2019: Once you have the BitLocker recovery keys imported on the Server 2019, you can configure Auto Unlock as follows: a. Open an elevated Command Prompt (Run as Administrator). b. Type the following command and press Enter for each of the drives you want to enable Auto Unlock for:
      
            manage-bde -autounlock -enable <drive letter>:
      
      
      Replace <drive letter> with the drive letter of the BitLocker-protected drive.
    5. Reboot the Server 2019: After configuring Auto Unlock, it's a good idea to restart the Server 2019 to ensure the settings take effect.
    6. Test Auto Unlock: Once the Server 2019 has restarted, you can test the Auto Unlock feature by connecting any of the BitLocker-encrypted drives to the server. The drives should automatically unlock without requiring any user intervention, allowing your backup system to write data to them.

    Please note that for Auto Unlock to work, the Server 2019 must have the necessary hardware and BIOS/UEFI settings configured to support the TPM (Trusted Platform Module) and Auto Unlock feature.

    Always make sure to back up critical data and verify the backup process to ensure the data integrity and security of your system. Additionally, be cautious with BitLocker recovery keys and keep them secure in a separate location in case they are needed for recovery purposes.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.