none
BitLocker turns on without a notice RRS feed

  • Question

  • Since a while we are experiencing some strange behavior with Windows 10 (I think it only apply to Creators update), Dell Notebooks and Bitlocker. In our company we have a global GPO which, if one wants to encrypt his harddrive with BitLocker, to be prompted to save the recovery key txt file on a certain share, BitLocker key is also saved to computer object in AD... But this is optional, none is forced to do so.
    Now, just a few days ago I realized that on fresh Dell notebook installs, factory image of Dell, the C-drive (it's usually our only drive) is shown with a yellow exclamation mark in file explorer. I have googeledd that and figured out it is a sign that bitlocker is not activated. No idea since when this is like that, did not realize it before in this context. However, I left it as is because I did not have the intention to enable bitlocker.
    Next day I just saw the yellow exclamation mark is gone and indeed, the drive was bitlocked. This happend automatically, without my knowledge. And also the key was saved to this notebooks AD object. But obviously the key saved in a txt file was not saved to that network share defined in the policy, though.
    How can it happen that bitlocker turns on on its own? In our case, not sure if for each and any, at least the key is saved to AD. But what if this doesn't happen? Users might lose access to their data? I also have read a few posts online like e.g. http://en.community.dell.com/support-forums/laptop/f/3518/t/20015603, that a few other users also experience the same issues. I stumbled around computers in our AD and figured out that several PC's suddenly show a bitlocker key, and definitely not all of them have turned this on on purpose. You can easiliy figure it out, just compare computer objects with bitlocker key vs. kex-txt files on our share. The ones with corresponding key txt file have done it on purpose, the others not.

    If bitLocker, by whatever reason turns on itself, without the knowledge of the user, and without prompting the user to save it's key in a file or on a flash etc... this is a rather serious issue in my opinion.

    I am still digging if bitlocker turns on on any computer, or just once the computer belongs to the OU where we apply our bitlocker policy on it.
    Friday, October 20, 2017 6:39 AM

Answers

  • Hi, 

    I found some information on Dell's support page

    Microsoft BitLocker enabled when Windows 10 is shipped.

    Dell systems that ship with the Windows 10 operating system and are equipped with Trusted Platform Module (TPM) capability will have Microsoft BitLocker encryption enabled from the factory. BitLocker drive encryption prevents the application of image files used to restore the Dell Factory Image.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 9:18 AM
    Owner
  • Yep, same consideration about Lenovo. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 9:48 AM
    Owner

All replies

  • Hi, 

    Please save out the RSOP results or gpresult as html file, upload onto OneDrive for our research. 

    You can also just pick out the Bitlocker part, I would like to confirm the configuration of your Bitlocker GPO. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 24, 2017 1:53 PM
    Owner
  • One thing I figured out is that BitLocker encryption process behaves differently when I enable encryption via Windows Settings --> Update & Security --> Device Encryption or via right-click on e.g. drive C:\ --> Manage BitLocker ...

    While the second option behaves according to my GPO regarding saving of key file on a certain shared location on our network, option one simply starts encryption and also saves the bitlocker key to the AD computer object, but without any notice for the user and without any option re. how to unlock the drive at startup, or backup of recovery key etc.... The usual expected process steps via Enable Bitlocker menu.

    And this might be part of my issue. I do not know why some notebooks simply start encrypting the drive once the PC becomes a domain member, you might think of my GPO, but this is not true. You see the bitlocker related gpo here https://mobilexag-my.sharepoint.com/personal/dieter_tontsch_mobilexag_de/_layouts/15/guestaccess.aspx?docid=19d142ffbd4174f09b019203bce27413e&authkey=ARs_OSbA_gAchHWPFIjp8bc. But because it happens as described above without these options to save a file, etc. and the PC being a domain member can write the key to the ad object, it just encrypts the drive. As I said, I am not worrying about not having the unlock keys etc... the are all there in AD, but I don't like to get my drive encrypted without my knowledge. And because if not being aware o this I might later delete the computer object in AD all together with the key....
    Tuesday, October 24, 2017 2:55 PM
  • Hi,

    I have check the GPO, yes, it's configured without any problems.

    We need also know who enable the Bitlocker, please check this Event log:

    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx

    Generally speaking, Bitlocker will not automatically start up if you just deploy GPO. We need to combine other operation like task scheduler or task sequence or scripts.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 25, 2017 9:13 AM
    Owner
  • Thanks, I have ordered two new notbeooks of the same model. i will keep an eye on them to see if they also auto-encrypt. And then I wil check the bitlocker event log and will post my findings here.
    Wednesday, October 25, 2017 9:30 AM
  • Ok, let's see if we can find any clue on this issue. Thanks very much for your kind cooperation and research on this issue. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 26, 2017 12:52 AM
    Owner
  • Hello, in the meantime we have got another brand-new Dell Latitude E7480 and have kept an eye on the bitlocker-related issue. We can confirm that by some reason, as soon as it is possible to write the recovery key somehwere (in oru case to the coputer AD object) BitLockerstarts without a notice to encrypt the harddisk c:.

    1. Start Notebook with pre-installed Win10, give it a name, create admin user etc... Harddisk shows with the yellow exclamation mark as kind of "ready to encrypt" state. But it does not get encrypted yet.

    2. if the PC then joins a domain it is able to write the recovery key to the computer object and starts encryption. This happens without notice and the user is not aware of it. Yellos exclamation mark disapears and the drive is encrypted

    not sure if encryption would start without a computer restart also, we just restarted because of the fact that a restart is required after domain join, and saw encryption is there.

    3. and now the recovey key is written to the computer object in AD

    Of course we can decrypt the disk again etc... but I don't feel like this beeing an adequate behaviour to encrypt a disk of a PC just becasue it joins a domain without user interactoin. And as you already ocnfirmed, my Bitlocker Policy does not force encrpytion, it just descripes IF encryption happens, how to store recovey key....

    I don't now if this is a default behaviour of Windows 10 since 1703 (because this is the vesion preinstalled) or it is a special "feature" of the Dell image. Dell couldn't tell more.

    kind regards,

    Dieter Tontsch

    mobileX AG

    Monday, November 6, 2017 2:08 PM
  • Hi Dieter, 

    Seems that the HDD has been enable the Bitlocker before joining to the domain.

    I would like to say that there is no such default design to enable Bitlocker in Windows 10 1703, please contact Dell support to see if the OEM image is customized to do so. 

    Also, if the PC was deployed the clean image by your administrator, check if the task sequence during setup enable the Bitlocker. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 8, 2017 6:19 AM
    Owner
  • Hi, the administrator am myself. I have not deployed any other immage but the Dell one. And none of my installation tasks does perform such a step, by the way, we are intalling the same way since years, and only recently this issue started to occure.

    And something which is really new is the  fact that at the very first sturtup of the OS the drive is shown with this exclamation mark, like willing to say "I am ready to get encrypted, but I cannot yet because I canot save the recovery key anywhere". Amd once it is Domain-joined, it can save the key to the computer obnect in AD, and now it can start encrypting. The only thing we did, is to prepare the domain for BitLocker keys, but this was done years ago.

    I'll keep an eye on it further, unfortunatelly Dell says not much, they know nothing about this..... i also suspect them having some bug or missconfiguration in their image.

    Still, one thing makes me suspicious, while we usualy buy Dell Latitude Notbeooks, we recently have bought one Lenovo Thnkpad. And when I look to AD I also see that this PC seems to have enabled BitLocker, at least a recovery key is saved to AD (I have to check on the PC). And this thing makes me feel that either ther is still something buggy, or considered differently since newer Windows releases, with my GPO, or there is some default setting in Win10 1703.

    Dieter

    Wednesday, November 8, 2017 7:03 AM
  • Hi, 

    I found some information on Dell's support page

    Microsoft BitLocker enabled when Windows 10 is shipped.

    Dell systems that ship with the Windows 10 operating system and are equipped with Trusted Platform Module (TPM) capability will have Microsoft BitLocker encryption enabled from the factory. BitLocker drive encryption prevents the application of image files used to restore the Dell Factory Image.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 9:18 AM
    Owner
  • Great job Kate.

    This is most probably the reason for all that mess. I will contact Dell for further details, since I don't get the point. Based onthis default setting for Dell-devices, that does not make too mutch sense to me. Bitlocker wont erally encrypt unless the recovery key is osmehow savedsomewhere. In an AD (depends on settings) this might happen automatically if not forbidden via policy and domain is prepared due to the fact that the computer object can than save the recovery key to it's AD object. But in a non-AD environment the user needs to manually trigger encryption... At least this is my undrstanding of how bitlocker works.

    Many thanks,

    Dieter

    PS. Since we had the same beavour with a Lenovo Thinkpad, I guess they do it the same.

    Friday, November 10, 2017 9:41 AM
  • Yep, same consideration about Lenovo. 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 10, 2017 9:48 AM
    Owner
  • This is happening to 2 new Dell latitude systems we received. These were not joined to the domain. Re-imaing, diskparting does not remove the bitlocker encryption. In disk manger it shows the C drive encrypted with bitlocker but when I go to bitlocker drive encryption in control panel it says bitlocker is waiting for activation. I can "turn off" encryption using the windows 10 Device encryption setting but if I re-image it comes back.

    There is nothing in my MDT 1709 imaging task to turn on bitlocker (in fact its on before the task even completes) and the same 1709 imaging task does not turn bitlocker on any other models.

    We do not want this on. Please advise how to stop this.

    Friday, April 6, 2018 3:41 PM
  • HP laptops that are worked on by Ensure IT Services under warranty are also doing the same. I have had 3 brand new HP machines lock me out with bitlocker and the client obviously never enabled the bitlocker. Now the machines need to be reloaded at my cost.

    Can anybody give me an easier way to get the machine back to the state it was in, "working". The laptop went in for an apparent board change.

    Wednesday, September 12, 2018 5:53 AM
  • Hi, just restore to factory configuration from Bios whiout loosing data and thats it.

    Good Loock

    Thursday, May 9, 2019 9:37 PM
  • Hi Dieter,

    Kindly let us know the outcome of contacting the Dell Tech Support on this issue.

    I have procured Dell Latitude Laptop 3400 with Windows 10 Pro. The drive eventually gets Bit Locker enabled without the users notice and actions. In my case, the laptop is stand alone on a work group and not joined to any Domain. The drive becomes inaccessible after a windows update ( Not sure which update) and there is no way to get access to the drive as the Recovery Key cannot be traced.

    I had tried reaching Dell to seek help, but they passed on the ball to Microsoft.Microsoft either could not help me.

    Any inputs on this will be great as i have already formatted 3 laptops which had critical data of the project. I cannot afford to lose any more laptops.

    Thanks in advance for any help.

    Wednesday, August 14, 2019 4:26 PM
  • Hi Javs,

    Any update as to why this is happening in the first place without any action from the user end.

    Wednesday, August 14, 2019 4:28 PM
  • Hi,

    well this topic is quite a while since I posted it. But unfortunately nothing has changed, and Dell support cold not help either. At that time I have also examined the GPO's, whether there is one which triggers this bitlocker to turn on once I join the notebook to a domain, but there is none. For me it only happens once notebook joins my domain, and in that case the key is written to the computer object in AD, so I do have the unlocking information though.

    But still, drives do get encrypted by bitlocker once I do join the pc into my domain. I think it did not happen anymore for a while, but since several month it happens again, though.

    Friday, August 16, 2019 8:42 AM
  • I ended up solving this by creating a registry key on my base image.

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v PreventDeviceEncryption /t REG_DWORD /d 1 /f

    Friday, August 16, 2019 1:12 PM