How do I set up a PC to keep BitLocker locked on an encrypted drive every time a user login event occurs?

tj_zero 65 Reputation points
2023-10-18T04:11:39.9133333+00:00

【 Problem Description 】 :

A PC is shared by two users A and B;

User A encrypts drive D using BitLocker;

Drive D is not A system drive and is only used to store user A's private data;

As long as the computer system is not restarted, user A decrypts D drive for the first time, the data will always be decrypted.

User A has to leave the seat, user B uses his own ID to log in and use this computer, and can easily obtain user A's private data stored in drive D without verifying the BitLocker password again after logging in.

And so the leak happened;

【 Help I want 】 :

How to verify BitLocker every time a user logs in without restarting the computer system?

In other words, the necessary conditions to determine whether the current drive is decrypted must meet the following three conditions:

  1. The system checks whether the login event of the user switchover operation is currently performed.
  2. Does the system determine whether the current user has not completed the BitLocker password authentication after logging in?

If any of the above is true, BitLocker keeps the drive locked.

Look forward to your reply, thank you;

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,931 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Lei Tao (Shanghai Wicresoft Co Ltd) 240 Reputation points Microsoft Vendor
    2023-11-01T02:54:06.6333333+00:00

    Hi @tj_zero

    You can try the following steps:

    1. Open the Group Policy Editor (gpedit.msc).
    2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
    3. Find the "Require PIN or password to activate" option and set it to "Enabled".
    4. Find the option that says "Allow users to save BitLocker recovery passwords and key packs on unencrypted OS drives" and set it to "Disabled".
    5. Find the "Allow users to disable BitLocker Drive Encryption" option and set it to "Disabled".
    6. Find the option to "Allow users to save BitLocker recovery passwords and key packs on unencrypted non-OS drives" and set it to "Disabled".
    7. Find the "Require additional authentication to boot on the operating system drive" option and set it to "Enabled".
    8. Find the "Configure Options that require additional authentication to boot on the OS drive" option and set it to "Use TPM".
    9. Find the "Configure TPM Required PIN Length" option and set it to the desired PIN length.
    10. Find the "Configure TPM Requirement PIN Complexity" option and set it to "Enabled".
    11. Find the "Configure TPM Requirement PIN Complexity" option and set it to the desired PIN Complexity requirement.
    12. Save & Close

    Once set up, BitLocker will ask users to enter their PIN or password for verification every time they log in, without having to reboot their computer system.

    Hope it helps.

    Kind regards,

    Lei


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.