specifying GPO "deny write access to removable drives not protected by bitlocker" denies write access to fixed hard drives
This is easy to repro. I have a virtual machine with Win7 32 with two hard drives (C: and D:).
If I do the following:
1. Open the group policy editor on a desktop.
2. Go to Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption
> Removable Data Drives
3. Enable "Deny write access to removable drives not protected by Bitlocker".
4. Reboot the desktop.
bitlocker has mounted my D: drive as read only and I cannot figure out how to fix it. I thought that GPO would
only apply to removable drives like USB drives, not fixed SCSI disks. Oddly, my C: drive remains writeable even though the hardware for the two disks is identical.
What does bitlocker (or bitlocker to go?) use to decide what needs to be encrypted? How can I make it mount my second hard drive as read/write?
Any help is appreciated.
November 16th, 2012 11:06pm
Hi,
I have had a test on my computer, but havenot encountered any problem. Can you please take a screenshot of Bitlocker Encryption Options and upload it here? It will show how System recognize D drive. Meantime, please go to Device Manager to get the drive's
Hardware Ids here.
TechNet Subscriber
Support
If you are
TechNet Subscription user
and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2012 10:40am
I have the screenshots you ask for but it says I can't upload them until my account is verified. Weird. This account is tied to my bizspark MSDN license, and of course I don't see anything helpful about how to verify the account.
Here are the disk ids. I think being SCSI disks might be an important part of producing this issue.
SCSI\DiskVMware__Virtual_disk____1.0_
SCSI\DiskVMware__Virtual_disk____
SCSI\DiskVMware__
SCSI\VMware__Virtual_disk____1
VMware__Virtual_disk____1
GenDisk
November 20th, 2012 7:16pm
I found that in this two disk scenario, even if you put your page file on your D: drive, once you turn on this GPO bitlocker will still mount the disk ReadOnly causing an error message from windows about a problem creating the page file.
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2012 7:19pm
Hi,
So system consider the D driver as removable data driver,right? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 22nd, 2012 12:12pm
Yes thats why bit locker or "bit locker to go" insists on mounting it read only when you boot.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2012 4:55pm
Hi,
there are two way to solve this issue.
1. change the D driver to fixed disk.
2. enable bit locker on D driver. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 29th, 2012 11:20am
What do you mean fixed disk?
Disk manager says its a basic disk, its not dynamic or spanned or fancy in any way.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2012 4:43pm
Hi,
Please run "MSinfo32" on the comptuer and then check if the D drive display as "Local fixed disk".
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 30th, 2012 1:03pm
Yes, it is displayed as a local fixed disk.
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2012 5:19pm
escription Disk drive
Manufacturer (Standard disk drives)
Model VMware Virtual disk SCSI Disk Device
Bytes/Sector 512
Media Loaded Yes
Media Type Fixed hard disk
Partitions 2
SCSI Bus 0
SCSI Logical Unit 0
SCSI Port 2
SCSI Target ID 0
Sectors/Track 63
Size 19.99 GB (21,467,980,800 bytes)
Total Cylinders 2,610
Total Sectors 41,929,650
Total Tracks 665,550
Tracks/Cylinder 255
Partition Disk #0, Partition #0
Partition Size 100.00 MB (104,857,600 bytes)
Partition Starting Offset 1,048,576 bytes
Partition Disk #0, Partition #1
Partition Size 19.90 GB (21,367,881,728 bytes)
Partition Starting Offset 105,906,176 bytes
Description Disk drive
Manufacturer (Standard disk drives)
Model VMware Virtual disk SCSI Disk Device
Bytes/Sector 512
Media Loaded Yes
Media Type Fixed hard disk
Partitions 1
SCSI Bus 0
SCSI Logical Unit 0
SCSI Port 2
SCSI Target ID 1
Sectors/Track 63
Size 3.00 GB (3,216,084,480 bytes)
Total Cylinders 391
Total Sectors 6,281,415
Total Tracks 99,705
Tracks/Cylinder 255
Partition Disk #1, Partition #0
Partition Size 3.00 GB (3,218,079,744 bytes)
Partition Starting Offset 65,536 bytes
November 30th, 2012 5:28pm
Hi,
Does this issue happen if we enable bitlocker on D driver?Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2012 12:18pm
I don't see how I can encrypt just the D drive.
http://social.technet.microsoft.com/forums/en-US/itprovistasecurity/thread/ccd6e029-2c03-4da1-b459-8fba06cb2fc1
I also tried following the technet article here so I could answer your question and it tells me "this version of windows does not support this feature of bitlocker drive encryption. To use this feature upgrade the operating system (we're running windows
7 professional).
http://technet.microsoft.com/en-us/library/cc732774.aspx
Yup and if I disconnect the D: drive and hot plug it in while windows is running the bitlocker dialog comes up and says I can only use it read only unless I upgrade windows (from Win7 Pro).
At any rate, this is not a viable solution because my organization does not *want* the hard disks on these machines encrypted, just the actual removable media.
It should be really simple. I've just got a generic virtual machine in vCenter 5.0 running windows 7 professional. I enable the GPO ("Deny write access to removable drives not protected by bitlocker") and my second hard drive (D:) can only be
used read only. That's not what the GPO is supposed to do, it should only effect removable media. The end users in my environment can add and remove USB drives, its not like they can add or remove their hard drives.
December 6th, 2012 5:31pm
Hi,
BitLocker is available in the Enterprise and Ultimate editions of Windows Vista and Windows 7. As Win 7 pro doesn't support bitlocker and
Deny write access to removable drives not protected by Bitlocker is under biteloker setting, maybe this policy
incompatible with win 7 pro. for your requirement, we can use the policy "Removable disks:deny write access"under
Administrative Templates, System,
Removable Storage Access.
http://technet.microsoft.com/en-us/library/cc730808(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2012 11:29am
hi,
Anyupdat? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 14th, 2012 11:25am
I can produce this problem in Windows 7 Enterprise edition. Same steps as my first post. Same problem. The only difference is that in Windows 7 Enterprise I now can right click on my second local hard drive (D:) and "Turn on bitlocker..."
is an option. Again, this is not acceptable. I shouldn't have to encrypt my second local hard drive when I turn on a GPO saying removable media has to be encrypted to enable write.
Free Windows Admin Tool Kit Click here and download it now
December 19th, 2012 5:24pm
Hi,
It seems the VM machine consider the second disk as removable disk. see below link from VMWARE.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012225Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 20th, 2012 11:54am
We have more testing to do but at first blush devices.hotswap = false looks like a winner
Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2013 7:34pm
Removable Disks: Deny Write access is not working on windows 8 Enterprise Ediditon 6.2 9200.
Could you please help me.
April 10th, 2013 2:39pm