none
BitLocker wrongly preventing access to removable media RRS feed

  • Question

  • Hi

    For our Windows 10 rollout we're implementing BitLocker.  Our existing Windows 7 machines are encrypted using a third-party solution, and so any BitLocker related GPOs are not targeted at Win7 devices.

    For our Win10 devices we've configured BitLocker to encrypt the OS and fixed data drive only.  We do not wish to touch removable data drives.

    However, we're seeing issues with USB hard disks (SSD or HDD).  USB flash drives are fine.

    With the USB hard disks, when connecting to Windows 10, despite the BitLocker policy being configured to not manage removable data drives we see the following events logged in regards to the USB hard disk:

    Event ID

    Event Source

    Details

    796

    BitLocker-API

    BitLocker Drive Encryption is using software-based encryption to protect volume D:.

    775

    BitLocker-API

    A BitLocker key protector was created. Protector GUID: {87c4fe33-6ce8-42a8-8b5f-9cf7e927b8d6} Identification GUID: {b0cc22df-4d72-412f-922d-3df28d225dd0}

    775

    BitLocker-API

    A BitLocker key protector was created. Protector GUID: {bc6f0523-4d36-446e-818f-92f7684659bd} Identification GUID: {b0cc22df-4d72-412f-922d-3df28d225dd0}

    If we look at the drive in the Disk Management MMC it shows as "BitLocker Encrypted" (despite no encryption taking place).  In Windows Explorer the drive displays normally, with no BitLocker-related padlock icon.

    We don't understand why, contrary to the assigned policy, BitLocker key protectors would be assigned to the removable data drive.

    The more worrying issue is that if a user with Win7 and Win10 connects their USB hard disk to their Win10 device, when they re-connect it to Win7 they get the following message:

    "Error recovering disk D:  A recovery key was not found on this drive.  The drive cannot be unlocked."

    The GPO settings for removable drives are:

    Control use of BitLocker on removable drives: Disabled

    Enforce drive encryption type on removable data drives: Disabled

    Any advice on what could be causing this issue on our removable hard disks would be greatly appreciated.

    Thanks in advance.

    Wednesday, August 7, 2019 10:48 AM

Answers

  • Ok, that leaves only one conclusion: the drives are seen as fixed drives instead of being classified as removable.

    Please verify that. It can be verified using

    wmic logicaldisk where "drivetype=3" get name /format:value

    This will return the drive letters of partitions (or disks) seen as fixed.

    Wednesday, August 7, 2019 1:33 PM

All replies

  • Hi.

    Please clarify how you are enforcing encryption. Do you use MBAM or scripts?

    Wednesday, August 7, 2019 11:46 AM
  • Hi

    We have a 3rd party tool via McAfee (McAfee Management of Native Encryption) which enforces BitLocker encryption on the OS and fixed data drive.  It doesn't manage removable drives and the vendor states management (or not) of removable drives should be leveraged via GPO, which is exactly what we've done.

    Wednesday, August 7, 2019 12:57 PM
  • The built-in GPOs never start encryption - they are only used to configure bitlocker, but not to encrypt. So what you see, what actually touches the removable media, must come from McAfee. Ask McAfee support.
    Wednesday, August 7, 2019 1:02 PM
  • Hi, thanks for the swift reply.

    We did speak to McAfee and they assert that their product does not enforce anything on removable media.  It's not even an option in the product.

    Wednesday, August 7, 2019 1:04 PM
  • Ok, that leaves only one conclusion: the drives are seen as fixed drives instead of being classified as removable.

    Please verify that. It can be verified using

    wmic logicaldisk where "drivetype=3" get name /format:value

    This will return the drive letters of partitions (or disks) seen as fixed.

    Wednesday, August 7, 2019 1:33 PM
  • Now why didn't I think of that!

    Sure enough, USB-connected hard disks appear as drivetype=3 (local disk).  This contrasts to USB flashdrives which appear (correctly) as drivetype=2 (removable).

    Wednesday, August 7, 2019 3:07 PM