The current method expects C: to be the system drive and therefor excludes this drive letter. There should be a better way that should not depend on the drive letter.

I'm not sure, if manage-bde.exe will refuse to lock the system drive. I therefor added the condition

(...) AND NOT C:

to the AppliesTo registry property. For a more generic approach, I tried to use/test the properties [System.Volume.IsRoot](https://docs.microsoft.com/en-us/windows/desktop/properties/props-system-volume-isroot) and [System.Storage.SystemCritical](https://docs.microsoft.com/en-us/windows/desktop/properties/props-system-storage-systemcritical) instead of hardcoding the drive letter. I tried to compare the properties with System.StructuredQueryType.Boolean#True (or similar). But this didn't work at all. Unfortunately I did not find any useful reference/example for using these properties in the registry either.

So the next approach I tried was to rely on the system environment variable %SystemDrive%. I therefor tried to use

(...) AND NOT %SystemDrive%

which doesn't work either.

So my current workaround is, to read the environment variable during installation and create the AppliesTo key property depending on its value.

I'm thinking about adding another page to the installer, which lists all found drives + an item for removable media, where the user can select, which drives should be excluded from the lock option (with the system drive being checked by default).