Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 17, 2017 8:12 AM | 1 vote
I have an odd issue with Windows 10, we have the group policy enabled to deny write access to USB drives unless encrypted with Bitlocker. This gives the illusion that everything is working, when an unencrypted USB drive is inserted into the computer the user is prompted to Encrypt the drive which completes successfully. Immediately following the encryption the user is able to write to the USB drive as expected, the problem surfaces when the USB drive is ejected and reinserted or when the computer is rebooted, the user gets prompted to enter the Bitlocker password which does successfully unlock the drive but the user is unable to write to the drive and gets an alert saying the drive is write protected.
I have gone through the group policies and cannot see what would possibly cause this, any help will be greatly appreciated.
All replies (24)
Thursday, July 20, 2017 6:55 PM âś…Answered
Gary, mostly, when abnormal things seem to happen, it is some silly thing that is overlooked. However, when you only did the steps you described, it would work, definitely, unless your GPOs brought some interferences into the system that you are not aware of.
->retry without joining the domain and without setting the encryption method via registry - just leave it at defaults for a test. Also installing updates is not needed for this test.
Monday, July 17, 2017 9:59 AM | 1 vote
Hi Gary.
Please check if the following GPO is applied at the client: Administrative Templates, System, **Removable Storage Access ->**removable storage devices: deny_write
https://technet.microsoft.com/de-de/library/cc730808%28v=ws.10%29.aspx
Tuesday, July 18, 2017 12:43 PM
Hi Ronald,
I have checked and the policy is not applied, also if it was the initial write immediately following the Bitlocker encryption would have been unsuccessful. Something else is going on here, I'm beginning to think it's a bug in Windows 10
Tuesday, July 18, 2017 1:13 PM
We use this policy (deny write if not bitlocked) on win10 company-wide. Here, it works without issues. What win10 version? We just implemented it with the latest version v1703.
Tuesday, July 18, 2017 1:49 PM
I have tested on the users v1607 and my laptop on v1703, both have the same result.
I do have a problem step recording showing the issue but am not able to include links in the forum until my account is verified.
Wednesday, July 19, 2017 3:38 AM
Hi Gary,
Disable Deny write access to fixed drives not protected by BitLocker
Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Fixed Data Drives/
Reboot computer to test again.
If that doesn't work, change it to 'Not Configured', reboot.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, July 19, 2017 10:54 AM
Hi Teemo,
This is not a fix as our security policy requires USB devices to be encrypted with Bitlocker.
Wednesday, July 19, 2017 10:58 AM
Gary, please retry on a clean test system that gets no GPOs but 1 local GPO with that setting - you will see it works without problems. Then see what other GPOs are enforced in your environment and enforce them one by one to find out what interferes.
Thursday, July 20, 2017 1:12 AM
Hi Gary,
The GPO I mentioned does not conflict with your BitLocker encryption requirement, this way has been proved by some users that can fix write protection issue, I suggest to try it.
My Drive D: is locked into an attribute of Read-Only
https://www.eightforums.com/general-support/49997-my-drive-d-locked-into-attribute-read-only.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 20, 2017 8:09 AM
Hi Teemo,
We already don't have that GPO enabled, fixed drives are encrypted as part of the deployment process.
I'm going to be trying Ronalds suggestion today on a clean build then apply the policies until I find the one causing the issue.
Thursday, July 20, 2017 12:26 PM
I've built a test laptop, before enabling the policy to deny write access to removable drives not protected by BitLocker I am able to unlock a USB drive and write to as expected.
After enabling this policy with it being the only policy enabled on the laptop I get the same result as before, after unlocking the drive I get the error saying the disk is write protected.
Removing bitlocker from the usb drive and then re-enabling it again allows me to write but as soon as I eject it and re-insert it I get denied write access again.
This eliminates group policy as the cause of my pain. The only other thing that's done is during deployment, the fixed drive is encrypted with 256bit AES Encryption, with the recovery key stored in AD, I use MDT to deploy my images.
Thursday, July 20, 2017 12:39 PM
Gary,
sounds really strange. Please try different hardware for both usb drive and computer and test again.
Make sure, your win10 installation is really clean - nothing but windows on it.
Thursday, July 20, 2017 1:12 PM
I get the same result on 4 different computers that I try, the one I built today is another laptop different model to the others as well as the user being on a desktop.
Im currently rebuilding the laptop using the ISO direct from Microsoft with no applications installed, going to test without the fixed drives encrypted and then repeat the tests with the fixed drives encrypted to see if there is any chance that may be the cause.
Thursday, July 20, 2017 3:34 PM
I have now built a laptop using Microsofts iso downloaded from the licensing portal. The only things I have done are as follows.
- Install Windows 10
- Installed updates
- Joined it to the domain
- Set it to use 256bit AWS Encryption with the following command
- reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
- Enabled the policy to deny write access to removable drives not protected by BitLocker
- Refreshed the policy, inserted the usb, got prompted to encrypt, the drive encrypted and I was successfully able to read and write, I ejected the USB drive, removed it and re-inserted it, got prompted to unlock it with the Bitlocker password and again was denied write access as before.
I'm now at a loss as to what could be causing the issue.
Thursday, July 20, 2017 3:37 PM
And with how many different usb sticks does that happen? Please try different brands.
Thursday, July 20, 2017 3:39 PM
Every USB I've tried, all different brands, the user is having the problem with an external hard drive as well as any USB he plugs in and I get the same issue with 2 different branded USB drives.
Friday, July 21, 2017 11:19 AM
I have now rebuilt the laptop using the iso from microsoft, left in the default WORKGROUP.
Opened the local group policy editor and enabled the policy deny write access to removable drives not protected by Bitlocker and got the exact same result.
I did get some success by unchecking the box to not allow write access to devices configured in another organization which works and is better than not requiring bitlocker at all but doesn't align with our security policy.
The fact that it is happening on a non domain joined build as well as on a domain joined build can only mean it is a bug in Windows 10.
Friday, July 21, 2017 11:41 AM
Then you'll need to file a bug with Microsoft - I can only guarantee you that it works here with every computer and every stick on win10 v1703.
Friday, July 21, 2017 12:19 PM
Ronald, thank you for your patience, the suggested troubleshooting path pointed me in the direction of the issue, you were correct it was indeed something silly that was overlooked.
It turns out that if you have the policy set to not allow write access to devices configured in another organization, the policy to provide the unique identifiers for your organization is also required.
I have added that to the policy and everything is working the way I expect it to work.
Thanks again.
Monday, July 24, 2017 6:37 AM
Great.
Wednesday, August 22, 2018 2:00 PM
Hi. This may not be the correct thread but I have an issue where my work issued Windows 10 laptop is bitlockered and we can not delete files from unbitlockered USB drives. We can read them. This is a big problem from a GDPR point of view as it makes it harder to conform to GDPR if sound or video is left on a camera's SD card for example.
You can delete files using the camera but if the camera has been loaned out to someone else in the department you don't always have access to do that.
Wondering if it's just a policy setting I can ask to be changed on group policy?
Thanks
Tom.
Wednesday, August 22, 2018 4:14 PM
Might be a GPO. You can restrict removable media to be only writable when bitlocked: /en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-driveaccess2
Thursday, March 21, 2019 4:09 PM
I had the same issue and the only solution I found was to enable auto-unlock for the removable drive via the BitLocker Management window (although there are other ways to enable auto-unlock).
Likewise I did not find any group policy object, registry entries, or other settings (checked 3rd party end-point programs) and came up with nothing. After the initial encryption, and before I enabled auto-unlock, the only way I could write to the encrypted removable drive was to boot into the command line via recovery mode. Because the drive works before Windows boots, I can only assume there is something in Windows effecting this...and apparently no one knows a solution to get it to work without auto-unlock turned on.
Wednesday, July 29, 2020 10:42 PM
Thanks so much. I couldn't work out this issue until I read your solution.