how to bitlocker re-lock drive at user log-off

[sunnyimran]

Hi, 

For some specific purpose, I have created a VHD, connected it as NTFS drive F:\ and Turned ON bit-locker on it. BitLocker is set to use password to unlock the F:\

 

Windows 7 Ultimate has two Admin accounts say admin-1 and admin-2. I want to keep this F:\ drive unlocked and accessible within admin-1 account only. When admin-1 logs-off or locks computer with WinKey+L the bitlocker F:\ drive must become in locked state. For any other user like admin-2, F:\ should be locked and must ask password for access. But when admin-1 re-logs-in or unlocks its computer, F:\must be accessible. 

 

I am aware bitlocker has nothing to do with user accounts and privileges. I tried the CMD batch file as:

    manage-bde -lock F:\ -forcedismount

bat file works fine manually under admin priviliges and re-locks F:\ in any account. 

 

But I am looking same solution to happen at admin-1 log-off or computer lock. 

I got idea about creating a sched task to run the bat file above but I can't find any trigger to start that bat file at user log-off or computer lock.

 

Please suggest how is it possible?

[jaclaz]

I am not sure to understand.

 

Running a script at logoff is a "standard" feature, of Group Policy *like*:

https://technet.microsoft.com/en-us/library/cc753404.aspx

example:

http://www.nextofwindows.com/how-to-run-a-script-or-command-at-logoff-in-windows-7-8

 

As well the trigger "On workstation lock" should do as a Scheduled task:

https://technet.microsoft.com/en-us/library/dd851678.aspx#BKMK_trig

https://technet.microsoft.com/en-us//library/cc748841.aspx

 

You tried them and they don't work or you weren't able to find the above info? 

 

jaclaz

[sunnyimran]

OK, let me re-phrase  the scenario

 

Windows 7 x64, two admin accounts Admin-1, Admin-2, other Standard accounts.

 

All I want is this: 

I need a VHD file Bitlock encrypted, mounted and accessible as F:   --> Only in Admin-1 account.

VHD file exists on D:\ 

 

If Admin-1 account logs in, VHD file should automatically mount as F: and should be unlocked and accessible.

If any other account logs in (including Admin-2), VHD file should be locked and bitlocker asking for password. Password is known to Admin-1 only 

 

That's all I want. please suggest

[jaclaz]

I understand the scenario, but don't understand the actual question(s).

 

In the OP you essentially stated that you had a working script and asked:

1) How can I run this script at log-off event?

2) How can I  run this scriptat workstation lock event?

 

Have you tested the suggestions?

Do they work or not in your environment?

 

Now you seemingly want another thing, to have at admin-1 log-in to have the bitlocker vhd automounted and accessible.

Which script (manually run) do you have that allows that?

I don't think it is possible at all:

https://www.medo64.com/vhdattach/faq/

 and it would gtreatly undermine the security of the system as - even if possible - you would need to store *somehow* and *somewhere* the bitlocker vhd password.

 

jaclaz