Friday, November 13, 2009

How to re-lock a Bitlocker drive

So you've turned on Bitlocker encryption for a drive. You've unlocked it and done your work, but how do you re-lock it? Here's how to add an entry to the right-click context menu to re-lock the drive.

1. Open up Notepad and type in the following, replacing 'E:' with the drive letter of your Bitlocker drive:
manage-bde -lock E: forcedismount
2. Save the file as lock.bat somewhere accessible, such as C:\Windows or C:\Program Files\

3. Open up Registry Editor. Navigate to the following Key:
HKEY_CLASSES_ROOT\Drive\shell
4. Create a new key named runas with the default value set to Lock.

5. Now right-click on runas in the left window pane and create a new key called command.

6. Set the value of the Default Entry to c:\windows\lock.bat or whatever locaiton you chose at step 2.

7. Navigate back to the runas key and create a new String Value called AppliesTo. Set the value to E: or whichever drive you have encrypted.

8. Goto Windows Explorer and test your new right-click context menu entry!

24 comments:

  1. how do you run the lock.bat file as admin? can't find it in the normal right click way... I guess it needs admin rights. I get this message when I try to lock it with rightclick>lock: E:\ Application not found.

    I have double checked the path in step 6.

    ReplyDelete
  2. if you use this trick while the drive is open it wouldn't work. you should add:
    manage-bde -lock e: forcedismount

    ReplyDelete
    Replies
    1. by the way did you not realise that your recommended method have typo error ... it's missing a dash before ForceDismount it should have been ...

      manage-bde -lock e: -ForceDismount

      Please take note of the uppercase and lowercase words too.

      Delete
  3. hvid74 - I'm running with UAC turned off. Naughty I know, but it works. I'll try turning it back on and see what happens.

    joas - Many thanks for the tip. I tried and you're right it doesn't work when a file is in use. I've edited the post.

    ReplyDelete
  4. A suggestion on improvement.

    1. Install the elevation powertoy - needs on UAC boxes.

    http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx

    2. Setup regsitry as so.


    [HKEY_CLASSES_ROOT\Drive\shell\lock-dbe]
    "AppliesTo"="(System.Volume.BitLockerProtection:=1 OR System.Volume.BitLockerProtection:=3 OR System.Volume.BitLockerProtection:=5) "
    @="Lock BitLocker Volume"
    "HasLUAShield"=""
    "MultiSelectModel"="Single"

    [HKEY_CLASSES_ROOT\Drive\shell\lock-dbe-rudi\command]
    @="@%SystemRoot%\\System32\\elevate.cmd @%SystemRoot%\\System32\\manage-bde.exe -lock G:"

    3. If any one has the solution to change G:\ to G: though the use of %1. Even better.

    ReplyDelete
  5. Thankyou but if running win7 it is important that on step 6 you use:

    cmd /c c:\windows\lock.bat

    This will let you RUN AS ADMIN,
    Also I only use...

    manage-bde -lock C:

    Thankyou for a GREAT GUIDE

    ReplyDelete
  6. You can use %~d1 to get the drive letter rather than hard-coding it. I'm not sure, though, if that kind of expansion would work outside of a .cmd or .bat file.

    ReplyDelete
  7. I did the following but it still did not work ...

    1. Open up Notepad and type in the following, replacing 'E:' with the drive letter of your Bitlocker drive:

    manage-bde -lock E:

    2. Save the file as lock.bat in C:\Windows

    3. Open up Registry Editor. Navigate to the following Key:

    HKEY_CLASSES_ROOT\Drive\shell

    4. Create a new key named runas with the default value set to Lock.

    5. Now right-click on runas in the left window pane and create a new key called command.

    6. Set the value of the Default Entry to cmd /c c:\windows\lock.bat

    7. Navigate back to the runas key and create a new String Value called AppliesTo. Set the value to E:

    My drive is e: , if i right click, the word 'Lock' appears - however it still doesn't lock. Please help.

    ReplyDelete
  8. By the way, I am using Windows 7

    ReplyDelete
  9. Managed to figure out, thank you for all the contributions, thanks ... I tried to lock it from the shortcut and of course it didn't work but if you go to My computer and right-click at the drive you intend to lock, it works! I couldn't thank all of you enough.

    ReplyDelete
  10. Thank you so much! And also, thank you devilz_child24 for your hint. Awesome.

    ReplyDelete
  11. I got it working but how do I apply this to more than 1 drive?

    ReplyDelete
  12. Thanks for the post. I am using windows 7 and it perfectly worked for me. I had my UAC(User Account Control) turned off and In step one, in case of'manage-bde -lock E: forcedismount
    ' I typed this 'manage-bde -lock E:' Don't forget to replace the drive letter with the drive you want to perform the task.
    '

    ReplyDelete
  13. Thanks for writing this guide and also thanks to devilz_child24 for his hint

    ReplyDelete
  14. I had to add a "dash" in front of forcedismount in order for it to work. Here is how it should be.

    manage-bde -lock e: -forcedismount

    ReplyDelete
  15. I really tried implementing the above, but couldn't make it work for my PC (it kept complaining about not finding manage-bde.exe even with UAC off)...

    Eventually I decided to use the right-click-on-a-bitlocker-drive feature just to print out the syntax of the command.

    1. I made up my own "lock-bde" key (instead of using the generic "runas" which might be overwritten by some other app).
    2. I apply this only to my locked P: drive.
    3. I print out the syntax of the command and pause so it will be possible to copy the command. It looks like this:

    ---
    Run the following command from and elevated command prompt:

    manage-bde -lock P: -forcedismount

    Press any key to continue . . .
    ---


    Here's the lot in a registry file format (paste into a file name lock-bde.reg for example and double-click from Windows Explorer to install).

    ====================================
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Drive\shell\lock-bde]
    @="Lock Drive..."

    [HKEY_CLASSES_ROOT\Drive\shell\lock-bde\command]
    @="cmd.exe /c \"echo Run the following command from and elevated command prompt: & echo. & echo. manage-bde -lock P: -forcedismount & echo. & pause\""
    "AppliesTo"="P:"
    ====================================

    ReplyDelete
  16. Thanks a lot...
    I got it working. but, how do I apply this to more than 1 drive?

    ReplyDelete
  17. Hey you can download these files here directly:
    http://scorpiondivine.blogspot.com/2012/01/how-to-relock-bitlocker-encrypted-drive.html

    ReplyDelete
  18. Hey its a direct method for having right click context menu option for lock drive:
    http://scorpiondivine.blogspot.com/2012/01/how-to-relock-bitlocker-encrypted-drive.html

    ReplyDelete
  19. After a long research, i got good trick.. it can be used for all drive ..

    http://www.spreadbytes.com/2012/01/how-to-lock-bitlocker-encrypted-drive.html

    ReplyDelete
  20. Thanks!!! Works Great Win 7 ult 64

    ReplyDelete
  21. It's an absolute disgrace that there is no simple way to re lock. Why would you waste your money on ultimate when it is this crap.

    ReplyDelete
  22. I got it working by typing this in notepad,
    manage-bde -lock E: -ForceDismount
    where "E" is the drive letter
    the syntax of forcedismount is important to make this work
    for me atleast :P

    ReplyDelete