Muminur · February 14, 2026 04:25
diff --git a/Lock BitLocker Drive on Workstation Lock b/Lock BitLocker Drive on Workstation Lock
 Lock BitLocker Drive on Workstation Lock

 This scheduled task configuration ensures that BitLocker drive M: is automatically locked whenever the workstation is locked.
 The task runs under the SYSTEM account so the lock applies to all users on the machine.

 FILES
 - LockBitlockerMOnLock.xml
  Task Scheduler XML definition with a SessionLock trigger and SYSTEM principal.

 TASK XML
 Save the following XML as LockBitlockerMOnLock.xml (ensure UTF-16 encoding):

 <?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2026-02-14T00:00:00</Date>
    <Author>LocalSystem</Author>
    <Description>Lock BitLocker M: on workstation lock</Description>
  </RegistrationInfo>
  <Triggers>
    <SessionStateChangeTrigger>
      <Enabled>true</Enabled>
      <StateChange>SessionLock</StateChange>
    </SessionStateChangeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>SYSTEM</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <Enabled>true</Enabled>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>manage-bde</Command>
      <Arguments>-lock M: -ForceDismount</Arguments>
    </Exec>
  </Actions>
 </Task>

 IMPORT THE TASK
 1. Save the XML to a local path, for example:
   C:\Temp\LockBitlockerMOnLock.xml
 2. Open an elevated Command Prompt (Run as Administrator).
 3. Import the task:

 schtasks /Create /TN "LockBitlockerMOnLock" /XML "C:\Temp\LockBitlockerMOnLock.xml" /RU "SYSTEM"

 VERIFY AND TEST
 - Check task exists:
  schtasks /Query /TN "LockBitlockerMOnLock" /V

 - Run the task manually for testing:
  schtasks /Run /TN "LockBitlockerMOnLock"

 - Confirm BitLocker status:
  manage-bde -status M:

 NOTES AND WARNINGS
 - Permanent until removed: The scheduled task persists until you delete or disable it.
  schtasks /Delete /TN "LockBitlockerMOnLock" /F

 - Data loss risk: The action uses -ForceDismount which will close open handles. Unsaved data on drive M: may be lost. Ensure applications using the drive are closed or remove -ForceDismount if you prefer a non-forceful approach.

 - Disable auto unlock: If the drive is set to auto-unlock at logon, disable it so the drive does not automatically unlock:
  manage-bde -autounlock -disable M:

 - Permissions: Import and management require Administrator privileges.

 TROUBLESHOOTING
 - If schtasks reports the task already exists, delete it first:
  schtasks /Delete /TN "LockBitlockerMOnLock" /F

 - If the task does not run on lock, confirm the XML trigger is SessionLock and the principal is SYSTEM.

 - If the drive fails to lock due to open handles, identify processes holding handles (Sysinternals handle.exe) and close them before locking.

 ADDITIONAL TIPS
 - To test the XML import via PowerShell (alternative):
  $xml = Get-Content -Path "C:\Temp\LockBitlockerMOnLock.xml" -Raw
  Register-ScheduledTask -TaskName "LockBitlockerMOnLock" -Xml $xml -User "SYSTEM"

 - If you prefer not to force dismount, remove -ForceDismount from the <Arguments> line in the XML.

 LICENSE AND ATTRIBUTION
 Use at your own risk. Ensure you understand the data-loss implications before deploying. Share improvements or alternatives in your repository notes.

 INSTRUCTIONS TO SAVE AS A .TXT FILE
 1. Copy the entire contents of this block.
 2. Open Notepad (or any plain-text editor).
 3. Paste the contents.
 4. Save As: LockBitlocker_Instructions.txt (Encoding: UTF-8 or ANSI).
	Lock BitLocker Drive on Workstation Lock

	This scheduled task configuration ensures that BitLocker drive M: is automatically locked whenever the workstation is locked.
	The task runs under the SYSTEM account so the lock applies to all users on the machine.

	FILES
	- LockBitlockerMOnLock.xml
	Task Scheduler XML definition with a SessionLock trigger and SYSTEM principal.

	TASK XML
	Save the following XML as LockBitlockerMOnLock.xml (ensure UTF-16 encoding):

	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2026-02-14T00:00:00</Date>
	<Author>LocalSystem</Author>
	<Description>Lock BitLocker M: on workstation lock</Description>
	</RegistrationInfo>
	<Triggers>
	<SessionStateChangeTrigger>
	<Enabled>true</Enabled>
	<StateChange>SessionLock</StateChange>
	</SessionStateChangeTrigger>
	</Triggers>
	<Principals>
	<Principal id="Author">
	<UserId>SYSTEM</UserId>
	<RunLevel>HighestAvailable</RunLevel>
	</Principal>
	</Principals>
	<Settings>
	<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
	<AllowHardTerminate>true</AllowHardTerminate>
	<StartWhenAvailable>true</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<Enabled>true</Enabled>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>manage-bde</Command>
	<Arguments>-lock M: -ForceDismount</Arguments>
	</Exec>
	</Actions>
	</Task>

	IMPORT THE TASK
	1. Save the XML to a local path, for example:
	C:\Temp\LockBitlockerMOnLock.xml
	2. Open an elevated Command Prompt (Run as Administrator).
	3. Import the task:

	schtasks /Create /TN "LockBitlockerMOnLock" /XML "C:\Temp\LockBitlockerMOnLock.xml" /RU "SYSTEM"

	VERIFY AND TEST
	- Check task exists:
	schtasks /Query /TN "LockBitlockerMOnLock" /V

	- Run the task manually for testing:
	schtasks /Run /TN "LockBitlockerMOnLock"

	- Confirm BitLocker status:
	manage-bde -status M:

	NOTES AND WARNINGS
	- Permanent until removed: The scheduled task persists until you delete or disable it.
	schtasks /Delete /TN "LockBitlockerMOnLock" /F

	- Data loss risk: The action uses -ForceDismount which will close open handles. Unsaved data on drive M: may be lost. Ensure applications using the drive are closed or remove -ForceDismount if you prefer a non-forceful approach.

	- Disable auto unlock: If the drive is set to auto-unlock at logon, disable it so the drive does not automatically unlock:
	manage-bde -autounlock -disable M:

	- Permissions: Import and management require Administrator privileges.

	TROUBLESHOOTING
	- If schtasks reports the task already exists, delete it first:
	schtasks /Delete /TN "LockBitlockerMOnLock" /F

	- If the task does not run on lock, confirm the XML trigger is SessionLock and the principal is SYSTEM.

	- If the drive fails to lock due to open handles, identify processes holding handles (Sysinternals handle.exe) and close them before locking.

	ADDITIONAL TIPS
	- To test the XML import via PowerShell (alternative):
	$xml = Get-Content -Path "C:\Temp\LockBitlockerMOnLock.xml" -Raw
	Register-ScheduledTask -TaskName "LockBitlockerMOnLock" -Xml $xml -User "SYSTEM"

	- If you prefer not to force dismount, remove -ForceDismount from the <Arguments> line in the XML.

	LICENSE AND ATTRIBUTION
	Use at your own risk. Ensure you understand the data-loss implications before deploying. Share improvements or alternatives in your repository notes.

	INSTRUCTIONS TO SAVE AS A .TXT FILE
	1. Copy the entire contents of this block.
	2. Open Notepad (or any plain-text editor).
	3. Paste the contents.
	4. Save As: LockBitlocker_Instructions.txt (Encoding: UTF-8 or ANSI).
No results found