Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, October 7, 2016 12:55 PM
I work for a company who handles secure data. We use bitlocker to encrypt the drives on all company machines, as well as all removable storage devices (USB Flash drives, External Hard Drives, ETC.). This works seamlessly for all built in storage, but for removable media, it is forcing write protection on the drives after encryption, even after the drive is unlocked using the Bitlocker passcode. We still want to maintain the enforcement of encrypting anything that may contain private company data, including all removable storage devices, but want to still be able to write to them after they are encrypted. Is this normal? Is there any way to have all removable storage devices encrypted but disable write protection once they are unlocked?
In Group Policy, our status for Deny write access to removable drives not protected by Bitlocker is enabled. When a user plugs in an external storage device, it prompts them to encrypt their device using bitlocker before they are permitted to write to it. It then encrypts it if the user chooses to do so, or only allows read access if they refuse. Once it is encrypted, the device is writable at that time, but once it is removed and plugged back in (To the same machine, or another machine in the same network/organization), it prompts for the password that was set. Once the password is entered, it shows the device as being unlocked, but when you try to write to it, it says that "This disk is write protected."
Additionally, if it helps, we do not push any other removable media GP bitlocker related options such as 'Deny write access to devices configured in another organization' or 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows', so it would most likely be whatever the default setting is. However, every removable media device we have tested with has been new, empty, and unencrypted until into we plug into one of our machines and encrypt with Bitlocker. Still, could adding one of these policies (Or maybe another I am not familiar with) as 'Enabled' potentially resolve the issue?
Any help would be greatly appreciated, as I am running out of things to try, and can not find any threads where people have run into this issue.
Thanks!
All replies (5)
Wednesday, October 12, 2016 6:10 AM âś…Answered
My advice was to "retry this on a clean standalone non-GPO'd Win10 1607 patched machine" - did you do this?
Friday, October 7, 2016 6:37 PM
Hi.
Sounds clearly like a bug or funny effect.
Please retry this on a clean standalone non-GPO'd Win10 1607 patched machine. Open gpedit.msc and set the bitlocker policies for removable media (deny write access to unencrypted removable drives) and retry with a completely new drive - if that works, try one of your problem drives.
Tuesday, October 11, 2016 6:46 AM
Hi DJB2113,
I have made a test on my Windows 10.1607 version. It worked as expected. Please try to restart the machine (wait for a moment) and re-plug in the USB again to have a test. Please ensure the "Removable Disks\Deny write access" policy(User configuration\Administrative Templates\System\Removable Storage Access) hasn`t been applied to the machine.
Best regards
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, October 11, 2016 6:09 PM
Did a restart. Tried a new USB drive. Went through the steps for encryption. Removed the device. Plugged back in. Unlocked using the passcode, and the issue with write protection still exists. I checked to make sure the Removable Disks\Deny Write access policy was not applied, and it was not.
Thursday, October 13, 2016 9:12 AM
Hi DJB2113,
Have you updated to the latest version Windows 10.14393.321? Have you changed the default configuration when we enabled the bitlocker on the removable drive?
According to my test, We will get several options during the enabling bitlocker process.
Best regards
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected]