question

DenisMeusy-2916 avatar image
0 Votes"
DenisMeusy-2916 asked MTG-3890 commented

Bitlocked drive not accesible until logged on

Hello,
We have run into an unusual issue with a drive on a server that is encrypted with BitLocker. We recently encrypted 18 production servers. We store the encryption key off of the servers and the drives are set to automatically unlock. When we reboot one of the servers the shared folder is not accessible until we log on to the server. As soon as we log on the share becomes available. I am assuming this has something to do with BitLocker and I am hoping we do not have rebuild the OS and redo the encryption on 20TB of data.
Has anyone heard of this type of behavior?

windows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTG-3890 avatar image
0 Votes"
MTG-3890 answered

Auto-unlock sometimes misbehaves and only unlocks the drive after someone logs on. This shouldn't be!
Undo auto-unlock and redo it and restart the server.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DenisMeusy-2916 avatar image
0 Votes"
DenisMeusy-2916 answered MTG-3890 commented

Hi,
Thanks for your reply. I have tried the Auto unlock and password thing in as many ways that I can think of.
Are there any other ideas?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Since we use it on many servers and have encountered the problem and have solved it by undoing and redoing it, I can only offer workarounds:
Use a scheduled task on the server with these parameters:
Name: mount_and_share (for example)
Executing account: system
Trigger: at system startup
action: thefollowing.bat
manage-bde -unlock d: -rp 1425646-127626-...your recoverypassword for d: here...
net stop server
net start server
What it does: it unlocks d: using the recoverypassword, then restarts the server service so that shares get created.

We have used that workaround, so we know it works. If you fear that someone could see that batch, put it somewhere safe (either on the encrypted system drive or on a network share of another machine).

0 Votes 0 ·