Strange USB Issue

Jeffrey Tucker 341 Reputation points
2021-03-03T12:39:41.867+00:00

hello, i am testing MECM deployed BitLocker (BL) policy. The policy is set for encryption of system / boot drive and worked without any noted issues. However weird issue with USB drives and I was hoping someone had some insight.

  1. Insert new USB drive
  2. Had to DISKPART a blank drive because BL thought it was bootable (got past that)
  3. Insert prepared USB drive and go through steps to encrypt drive to include passphrase
  4. Copy some files to USB drive with no problems
  5. Take out drive and go to another laptop
  6. Drive opens after inputting passphrase
  7. Can delete files/folders
  8. Insert drive back into original laptop
  9. Unlock drive with passphrase
  10. Cannot delete or put anything new on drive (delete option is not in context menu; delete button does not do anything)
  11. Decrypt drive and encrypt drive again
  12. First time inserted it works
  13. Remove drive, reinsert, enter passphrase and back to step 10

I took a look at everything I could find and was unable to find a fix.

Any thoughts?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,807 questions
{count} votes

Accepted answer
  1. Jeffrey Tucker 341 Reputation points
    2021-03-05T15:02:51.733+00:00

    made another change. now the encrypted drives works as expected but a new unencrypted drive insert into USB works without encryption even after asking

    74892-image.png

    74807-image.png

    now it really does not make any sense.

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Jeffrey Tucker 341 Reputation points
    2021-03-03T19:12:41.177+00:00

    hello. thanks for the reply. the other device which has BitLocker enabled but not via MECM opens the encrypted drive after passphrase and an unencrypted drive without passphrase. Both times the other laptop can delete and add and edit files on the drive. as soon as the usb drive gets inserted into original laptop it becomes essentially write-protected. both laptops are Windows 20H2. both laptops are patched to latest. laptop is restarted each day.

    73864-image.png

    0 comments No comments

  2. Jenny Feng 14,096 Reputation points
    2021-03-04T06:47:33.92+00:00

    @Jeffrey Tucker
    Hi,
    Run the gpedit.msc and navigate to:

    Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Removable Data Drives |
    Please check the setting for "Deny write access to removable drives not protected by BitLocker" set to Enable. Change to disable. That will also stop the system from asking to encrypt the drive every time you plug it in.
    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Jeffrey Tucker 341 Reputation points
    2021-03-05T12:38:30.277+00:00

    hello @Jenny Feng

    thanks for the reply. i am not really trying to disable the encryption. my issue is when i do encrypt the drive and put files on the drive, it only works while it is plugged in the first time. to get it to work again i have to encrypt it all over again on the original laptop. i have to do this each time i want to copy files to the drive from the original laptop. if i try it on another laptop, it all works as expected. it seems to be the opposite of what it should be. whey would i not be able to manipulate files with the laptop that did the original encryption?

    thanks again

    0 comments No comments

  4. Jeffrey Tucker 341 Reputation points
    2021-03-05T13:51:33.86+00:00

    i did some testing and now with the current local policy settings i am able to work with the encrypted drive. great. but now i am not prompted to encrypt new drives.

    74776-image.png

    0 comments No comments