3,085 questions
Here you go:
How do I set up Windows BitLocker to re-enter the password to unlock the BitLocker protected drive every time I perform a user login operation on a computer shared by multiple people?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 27%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
tj_zero
65
Reputation points
Project background note:
- Multiple people share a computer;
- BitLocker has been used to set the encryption of non-system drive D in the system;
- The system environment is Windows 10 Professional or Windows 11 Professional;
- You have joined the organization network of the domain.
What problem is the project to solve:
At present, as long as the user performs the user login operation once and enters the correct password to unlock the D drive, any other user can bypass the BitLocker re-password authentication requirements as long as the user logs in to the computer without restarting the computer;
Suppose that user A's encrypted drive D stores private information and does not want unauthorized access by user B, who shares the computer with him;
Expected solutions:
1.Windows system group policy
2.Windows Powershell script
Hope to get your technical guidance;
A screenshot of the Settings would have been helpful;
Thank you very much;
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Client for IT Pros | User experience | Other
7 answers
Sort by: Most helpful
-
-
Pavel yannara Mirochnitchenko 13,336 Reputation points MVP2023-12-18T07:01:47.1833333+00:00 Not totally sure, but I would look first into auto-unlock feature, you should disable it:
https://www.elevenforum.com/t/turn-on-or-off-auto-unlock-for-bitlocker-drive-in-windows-11.2804/
-
tj_zero 65 Reputation points
2023-12-20T05:25:12.25+00:00 Thank you for your answer;
I've tried to do that;
However, it is a pity that the target effect of the project has not been achieved;
Little has changed;
If there is any follow-up plan, please continue to help, thank you.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2023-12-20T05:43:14.6233333+00:00 Hi @tj_zero •
you can the following powershell command to lock drive:
Lock-BitLocker -MountPoint "E:" -ForceDismount -confirmfor more details about the powershell command please read the following article:
Please don’t forget to accept helpful answer and close this thread
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-20T15:04:36.9266667+00:00 Hi @tj_zero
Just cheking if there is any progress ?
Please don’t forget to accept helpful answer and close this thread
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-26T10:23:47.56+00:00 Hi @tj_zero
Just cheking if there is any progress ?
Please don’t forget to accept helpful answer and close this thread
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-12-20T05:46:39.26+00:00 Hello,
Firstly, I'm afraid that it is a normal phenomenon.
If a user has successfully logged in to the computer and unlocked the BitLocker-protected drive once, the subsequent users can indeed bypass the BitLocker re-password authentication requirement if the computer is not restarted. This is because BitLocker remembers the unlocked state of the drive until the computer is restarted.
Meanwhile, I also test the command to disable auto unlock drive, it's the same result.
To ensure that each user is required to enter the BitLocker password on every login, you would need to restart the computer after each user session or implement additional security measures.
As far as I can think, you can consider the following:
Use hibernation instead of sleep or lock: Instead of putting the computer to sleep or locking the screen, users can hibernate the system. Hibernation saves the system state to the hard disk and requires the BitLocker password to resume, thus enforcing re-authentication for each user.
Best Regards,
Hania Lian
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MTG 1,246 Reputation points2024-01-16T21:44:36.63+00:00 When the computer is shared, NTFS permissions won't allow that user A opens files of user B (with permissions set accordingly) unless user A is an admin. So without A being admin, no need for bitlocker unless you would like to protect against offline access. In that case, you could use EFS, which would not unlock a whole partition, but just single files. High comfort as well and files of user A are secured against access by user B - online and offline! If you insist on using bitlocker, you may use a scheduled task that uses the batch command manage-bde -lock d: Set it to be triggered at user logoff and at session lock. Executor: system account ("system")
-
tj_zero 65 Reputation points
2024-01-31T05:26:39.38+00:00 Thank you for your guidance, but unfortunately for some reason, the planned task did not perform as expected; Please refer to the screenshot below to continue to help, thank you;
-
tj_zero 65 Reputation points
2024-01-31T05:32:00.31+00:00 Thank you for your guidance, but unfortunately for some reason, the planned task did not perform as expected; Please refer to the screenshot below to continue to help, thank you;
-
MTG 1,246 Reputation points
2024-01-31T08:55:16.2433333+00:00 Please look at what I suggested: You should have set the trigger to "on workstation lock" and at user logoff (which is configured through an event: Log: System Source: Winlogon and EventID: 7002). Please correct that.
-
tj_zero 65 Reputation points
2024-02-01T01:05:14.9133333+00:00 I've already followed this idea; However, the planned task was not successfully created; Please continue to guide me , thank you;
Sign in to comment -