Hallo everyone, we have set up MBAM in our test environment. The encryption of the OS drive on the client machine works fine, but it is not possible to encrypt an external device. Our MBAM Group Policy for "Removable Drive" is: Control use of BitLocker on removable drives: Enabled Allow users to apply BitLocker protection on removable data drives Allow users to suspend and decrypt BitLocker protection on removable data drives Configure use of passwords for removable drives: Enabled Require password for removable driveAllow password complexityMinimum password length for removable data drive: 8 If I select the removable drive in the Windows Explorer - right mouse click, there is no entry "BitLocker Encryption Options" like on the OS drive. In the "Control Panel" - "BitLocker Encryption Options", under "BitLocker Drive Encryption - External drives" the following text is displayed: "E: Encryption Off". Additional info: I have hidden the original BitLocker Control Panel item (Group policy: User Configuration - Policies - Administrative Templates - Control Panel - "Hide specified Control Panel item: "Microsoft.BitLockerDrive Encryption"). Also I have set the following registry key on the MBAM Server: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "DisableMachineVerfication"=dword:0000000] Thanks a lot for your help! Regards, Renate

Hello, I found the advice in another thread, that it is neccessary to set the following in the MBAM group policy for "Removable Drive": Deny write access to removable drives not protected by BitLocker: Enabled It seems like this setting is neccessary, so that the BitLocker encryption starts for the external device. But is there no possibility to not force the user to encrypt his drive, but to let him choose if he want to or not? Regards, Renate

Hello, I found the advice in another thread, that it is neccessary to set the following in the MBAM group policy for "Removable Drive": Deny write access to removable drives not protected by BitLocker: Enabled It seems like this setting is neccessary, so that the BitLocker encryption starts for the external device. But is there no possibility to not force the user to encrypt his drive, but to let him choose if he want to or not? Regards, Renate