none
USB Devices - Flagged by BitLocker Question RRS feed

  • Question

  • Hello All,

    Just to make sure we wouldn't have any surprises, I'd like to inquiry of the forum -- non-USB storage/removable devices, such as cameras, printers, iPhones, iPads, etc... will BitLocker enage in encryption if these are plugged in?

    We have a force must encrypt, prior to writting, for/with removable storage devices.

    I know if you extract the SDCard from a camera, and instert it into a reader, that will be flagged. Tested with an iPad/iPhone, that was safe... but... like in life... things are not that sinmple... 

    Have you see other devices, which you don't expect to get "flagged"... actually do? -- I'd like to build a list so we're in the know,  before it's wide spread deployment. 


    Cheers!!

    Wednesday, February 22, 2017 11:36 PM

Answers

  • Hi Tomas,

    I think that if the USB devices has the device type as below, Windows can recognized as a storage, which can connect to your system not only via SATA but also USB connection.

    #define FILE_DEVICE_DISK 

    #define FILE_DEVICE_VIRTUAL_DISK

    The USB devices with the DeviceType as above can be considered as the one BitLocker will encrypt as removable devices, sorry to say that there are so many devices, I cannot give our the whole list, but just tell you how it works.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tomas Ulbrich Friday, February 24, 2017 7:17 PM
    Friday, February 24, 2017 6:40 AM
    Owner

All replies

  • Hi,

    Encrypting USB flash drives protects the data stored on the volume. Any USB flash drive formatted with FAT, FAT32, or NTFS can be encrypted with BitLocker. The length of time it takes to encrypt a drive depends on the size of the drive, the processing power of the computer, and the level of activity on the computer.

    Before you enable BitLocker, you should configure the appropriate Removable Data Drive policies and settings in Group Policy and then wait for Group Policy to be refreshed. If you don’t do this and you enable BitLocker, you might need to turn BitLocker off and then turn BitLocker back on because certain state and manage¬ment flags are set when you turn on BitLocker.

    To be sure that you can recover an encrypted volume, you should allow data-recovery agents and store recovery information in Active Directory. If you use a flash drive with earlier versions of Windows, the Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy can ensure that you have access to the USB flash drive on other operating systems and computers. Unlocked drives are read-only.

    For more information, please refer to the link:

    Enable BitLocker on USB Flash Drives to Protect Data

    https://technet.microsoft.com/en-us/library/ff404223.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 7:30 AM
    Moderator
  • Hi Tomas, 

    For the devices with memory stick like camera, phones, it will be consider as removable disk, I consider that could all be encrypted. 

    But for printer, I don't think it will be flagged or encrypted. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 10:27 AM
    Owner
  • Thanks Tony for your response. I've got that all down, but was looking to the vast wisdom of the forum to see if anyone has come accross USB devices that BitLocker tries/wants to encrypt, but shouldn't.

    Memory sticks, and/or some cameras, depending on how they present themselves to the OS will be flagged as "removeable storage" devices.

    We have offices accross North and South America, and I'd like to find out/limit the possible "hidden" surprises, when rolling out.

    Thursday, February 23, 2017 3:09 PM
  • Thanks Kate for your reply. - I'm leaning towards a generic, hey look out for these devices, they may or may not want to encrypt.

    Like I tell everyone, the read is free. But you may pay the toll, when you want to write.





    Thursday, February 23, 2017 3:13 PM
  • Hi Tomas,

    I think that if the USB devices has the device type as below, Windows can recognized as a storage, which can connect to your system not only via SATA but also USB connection.

    #define FILE_DEVICE_DISK 

    #define FILE_DEVICE_VIRTUAL_DISK

    The USB devices with the DeviceType as above can be considered as the one BitLocker will encrypt as removable devices, sorry to say that there are so many devices, I cannot give our the whole list, but just tell you how it works.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tomas Ulbrich Friday, February 24, 2017 7:17 PM
    Friday, February 24, 2017 6:40 AM
    Owner
  • Thanks Kate!!

    I guess I'll go with that. Not a clean defining line, but in a nutshell be aware - never know that the maker has "labeled" their devices as.

     

    Friday, February 24, 2017 7:17 PM
  • Tomas, for a better answer, more info is needed.

    "We have a force must encrypt, prior to writting..." - could you explain? There are GPOs that prevent people from writing to removable usb storage unless that storage is encrypted, yes, but that does not mean, that any unencrypted removable disk that you plugin will be encrypted automatically. That would only be enforced if you use MBAM, if I am not mistaken. Do you even use MBAM?

    Saturday, February 25, 2017 12:10 PM
  • We do indeed use MBAM v.2.5.1 HF2. And yes we do have the GPO enable for that option - deny write ability unless the removable drive has been encryped.

    All reads are free, no issues. But when then user goes to write, then that is the concern. Or at least an item we want to flag ahead of time for the users.

    I was just looking for a general group/category to present to the end-users for them to be aware.

    Monday, February 27, 2017 3:12 PM