none
No manage options under Bitlocker To Go

    Question

  • Howdy All,

    I have another post out there concerning a related issue, but I wanted to ask if anybody has either seen this same issue or can explain why I'm having this issue.

    When I got to Control Panel > System and Security > BitLocker Drive Encryption I don't have manage options available to me as a Local Admin for removable drives under Bitlocker To Go.

    By the way, I was never prompted to encrypt, lock, etc. the G drive which is one of the removable USB drives listed under Bitlock To Go. 

    Regards, jimmy

    Friday, July 22, 2016 7:28 PM

Answers

  • Hi coolguy9000,

    According to your reply, I would assume you are in a domain environment. Are you the administrator of this domain?

    The easiest way to troubleshoot whether the issue is related to the gpo deployed to the machine is removing the machine from the domain.
    If it is verified that the issue is related to the gpo, we should have the domain administrator privileges to troubleshoot this issue.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 26, 2016 7:46 AM
    Moderator

All replies

  • Hi coolguy9000,

    Is this a domain environment?

    I have checked on my Windows 10.10586.494 machine and I have got that option to enable bitlocker on removable drive.

    If this is a domain environment, please check whether the following gpo has been applied to the machine(run "gpresult /h C:\gpresult.html").
    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Allow users to apply BitLocker protection on removable data drives

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Monday, July 25, 2016 2:41 AM
    Moderator
  • Thank for your reply, MeipXu

    I ran gpresult and here are all of the Bitlocker related GPOs:

    Windows Components/BitLocker Drive Encryption/Operating System Driveshide
    Policy Setting Winning GPO
    Enable use of BitLocker authentication requiring preboot keyboard input on slates Enabled Local Group Policy
    Require additional authentication at startup Enabled Local Group Policy
    Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Enabled
    Settings for computers with a TPM:
    Configure TPM startup: Allow TPM
    Configure TPM startup PIN: Allow startup PIN with TPM
    Configure TPM startup key:  
    Configure TPM startup key and PIN:  
    Policy Setting Winning GPO
    Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled Local Group Policy
    Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) Enabled
    Settings for computers with a TPM:
    Configure TPM startup key: Allow startup key with TPM
    Configure TPM startup PIN: Allow startup PIN with TPM
    Important: If you require the startup key, you must not allow the startup PIN.
    If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
    Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.
    Windows Components/BitLocker Drive Encryption/Removable Data Driveshide
    Policy Setting Winning GPO
    Configure use of passwords for removable data drives Enabled Local Group Policy
    Require password for removable data drive Enabled
    Configure password complexity for removable data drives: Allow password complexity
    Minimum password length for removable data drive: 8
    Note: You must enable the "Password must meet complexity requirements" policy setting for the password complexity setting to take effect.
    Policy Setting Winning GPO
    Control use of BitLocker on removable drives Enabled Local Group Policy
    Allow users to apply BitLocker protection on removable data drives Enabled
    Allow users to suspend and decrypt BitLocker protection on removable data drives Enabled

    I confirmed these settings in gpedit as well:

    Setting State Comment
    Control use of BitLocker on removable drives Enabled No
    Configure use of smart cards on removable data drives Not configured No
    Deny write access to removable drives not protected by BitLocker Not configured No
    Configure use of hardware-based encryption for removable data drives Not configured No
    Enforce drive encryption type on removable data drives Not configured No
    Allow access to BitLocker-protected removable data drives from earlier versions of Windows Not configured No
    Configure use of passwords for removable data drives Enabled No
    Choose how BitLocker-protected removable drives can be recovered Not configured No

    Sorry I wish viewing all of that would be easier but I cannot attach images.

    So, the settings is enabled and not denied. The options in question don't show up for the two removable USB drives that I connected at one time that got encrypted/locked.

    Regards, Jimmy

    Monday, July 25, 2016 4:03 PM
  • Hi coolguy9000,

    According to your reply, I would assume you are in a domain environment. Are you the administrator of this domain?

    The easiest way to troubleshoot whether the issue is related to the gpo deployed to the machine is removing the machine from the domain.
    If it is verified that the issue is related to the gpo, we should have the domain administrator privileges to troubleshoot this issue.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 26, 2016 7:46 AM
    Moderator
  • Hi,

    How about the issue, is there anything to update?

    If the issue has been resolved by yourself, it would be much appreciated if you would share the troubleshoot experience here and mark the case. It would be much useful for the person who will come across the similar issue in the future.
    If the issue was resolved by the replies in this thread, please remember to click “Mark as Answer” on the post that helps you.

    Please note that we will consider the issue has been resolved if there is no response in three days and we will mark the proposed answer. Thanks for your understanding and cooperation.

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, August 03, 2016 1:32 AM
    Moderator
  • Hello MeipoXu,

    Sorry for the delay in responding. I was away on vacation for a week and a half.

    Yes. I'm in a domain. No. I'm not the domain admin. I'm a local admin though.

    When you say remove the computer from the domain do you mean:

    a. Leave the domain, e.g. take it back to workgroup, completely from the computer?

    b. Simply disconnect the computer, e.g. unplug the network connection, login as a local user, from the domain?

    I just want to be clear. Thanks so much for you help.

    Regards, Jimmy


    • Edited by coolguy9000 Sunday, August 07, 2016 10:04 PM corrections
    Sunday, August 07, 2016 10:03 PM
  • Hi coolguy9000,

    Leave the domain, e.g. take it back to workgroup.

    Best regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 08, 2016 9:45 AM
    Moderator