question

JulianFloyd-5310 avatar image
4 Votes"
JulianFloyd-5310 asked ·

Bitlocker - "Turn on Bitlocker" vanished for USB Drives

Hello,
I run Win 10 Pro machines both at work (on a Domain) and Home (standalone machines - both situations have the same problem. All machines are 2004 with the latest patches.

Until recently I could bitlocker Encrypt external USB Drives (memory sticks etc) by either the "Turn on Bitlocker" option in the Explorer Context Menu or within Bitlocker in the Control panel.

This option has vanished (since the last windows updates?).

If I insert an unencrypted USB Drive there is no way to encrypt it but if I insert a previously encrypted drive then the "Manage Bitlocker" option is present in the context menu.

Does anyone know how to get back the facility to encrypt such drives?

Thanks,
Julian

windows-10-generalwindows-10-security
· 7
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bitlocker will only work on NTFS partitions so external drives must be formatted for NTFS. If you have formatted your drive to NTFS and this is still happening, go to drive management, delete the partition and recreate it as NTFS. Then remove and plug the USB device back in to restore the option to enable Bitlocker.

File systems that utilize MBR will no longer work with Bitlocker. NTFS does not use MBR where as Fat32 (Which most sticks are defaulted to at the factory) utilize MBR. To properly remove the MBR partition (which won't appear in disk management), deleting the partition will automatically remove the MBR from the device. The default windows format option does NOT do this as it doesn't delete partitions, it merely formats them thus often preserving the MBR even if it's not being used.

2 Votes 2 ·
Show more comments

Windows pcs get the USB software/hardware by installing the pc chipset driver/software,this also runs networking/video-audio/etc,get the update thru the pc mfg or the pc hardware mfg (Intel-AMD-etc).Also,Bitlocker settings can be had by open cmd,in cmd type: services.msc
in msc,scroll to a service,double click,set to auto start or manual start up,exit msc when thru.Also,in run or cmd type: diskmgmt.msc in msc L.click on a device,go up to Actions/all/make active.This lets all/any storage device to work with the OS.Also,with all/most current OS,a disk mgmt software is usually pre installed,Intel runs Intel Storage Mgr,or Intel storage matrix,go to intel.com for a update,but 1st run the chipset software/driver...

0 Votes 0 ·

Hi, @JulianFloyd-5310
Was the issue resolved?
If any reply is useful for you, please accept it as answer.
If you have any issue or concern, please reply to us directly.
Best Regards.

0 Votes 0 ·
Show more comments
DaleKudusi-MSFT avatar image
0 Votes"
DaleKudusi-MSFT answered ·

Hi,
Please first check whether your external hard drive is in the supported list:
The following table details which disk configurations are supported by BitLocker and what are not supported.
Drive configuration:
Supported:

  • Basic volumes

Not supported:

  • Software-based RAID systems

  • Bootable and non-bootable virtual hard disks (VHDs)

  • Dynamic volumes

  • RAM disks

Then, please make sure following group policy is enabled to allow Bitlocker to protect your removable data drive:
Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data drives
\Control use of Bitlocker on removable drives

Enable and check on "Allow users to apply BitLocker protection on removable data drives"

Best regards.

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dale, your advice isn't going to fix this issue.

The user has to change their device from the standard MBR partition format to the UEFI format. You must be on a UEFI based Windows installation, delete the partition of the external storage device and create a new partition using this format which removes MBR.

Bitlocker no longer works with MBR

0 Votes 0 ·
Bagitman-1090 avatar image
0 Votes"
Bagitman-1090 answered ·

Julian, please try the command line to encrypt these drives:
manage-bde -on x: -used -rp -pw

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thats interesting!
Thanks Bagitman-1090 I had not thought to try that.
Testing with the same USB Memory stick - no turn on bitlocker in the explorer context menu or in bitlocker in the control panel but the powershell (elevated) command line works - even more strange the context menu then contains the manage bitlocker options.
Reformat and repeated with the same results.
I will test on my work machines tomorrow - anyone have an explanation?
Thanks,
Julian

0 Votes 0 ·

Hi,
might check following GPO setting
Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data drives
\Control use of Bitlocker on removable drives

Best regards.

0 Votes 0 ·
TonyHamori-6747 avatar image
0 Votes"
TonyHamori-6747 answered ·

Hi DaleKudusi-MSFT, I have Win10 Pro on my laptop. I've tried your suggestion of editing the policy and Bitlocker remains grayed out. Not working. Thanks

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesonP-9248 avatar image
0 Votes"
JamesonP-9248 answered ·

Same issue on both Windows 10 1909 and 2004. No longer an option to right click and "turn on bitlocker" in the Windows Explorer context menu.

This needs to be escalated to Microsoft Engineers immediately.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for confirming this issue - cant find much on the web.

0 Votes 0 ·

Hello,
Did you get any feedback from MS, are they going to fix it with the next CU?
Cheers

0 Votes 0 ·
JulianFloyd-5310 avatar image
13 Votes"
JulianFloyd-5310 answered ·

A friend at work discovered the following:
Insert the USB stick in question - In Disk Manager right click on the partition and Delete Volume then New Simple Volume. After this the Explorer Context menu has the Turn on Bitlocker function.
We tested on a few work machines and it worked - however, you need admin rights and our users at work dont!
Does this help anyone diagnose the issue?
Thanks,
Julian

· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I discovered this workaround today as well.

The only step you are missing is after formatting in Disk Management, you need to physically disconnect and reconnect the removable drive. Then the "Turn on Bitlocker" button appears in the Explorer context menu.

6 Votes 6 ·

Thank you!

1 Vote 1 ·

Perfect! Thank you so much :)

1 Vote 1 ·

Many Many Thanks JulianFloyd-5310....

It worked for me as well...

Have a nice day.....

1 Vote 1 ·
TonyHamori-6747 avatar image
0 Votes"
TonyHamori-6747 answered ·

Thanks JulianFloyd but I did that and only made my USB unrecognizable now. I'm obviously not as tech savvy as most. Frustrating....

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JMpofu-5147 avatar image
0 Votes"
JMpofu-5147 answered ·

In Windows 10 the issue is being caused by an update from Microsoft:

Issue is being caused by a windows update
https://support.microsoft.com/en-us/help/4577668/windows-10-update-kb4577668

We have uninstalled the update and escalated to Microsoft support

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you receive an answer from MS?

As you also stated. This is an issue with this:
55550-image.png



Because there is an active partition we are not allowed to enable bitlocker. And as our users are not local administrators they are not able to resolve this themselves.

0 Votes 0 ·
image.png (24.9 KiB)
McK-4268 avatar image
5 Votes"
McK-4268 answered ·

Hello,

As far as I know, the Windows Update KB4577668 is causing this problem on Build 1809 (Pointed out by JMpofu-5147) and the Windows Update KB4577671 is causing it on Build 1909. An uninstall of these updates should resolve this problem temporarily, though the side effects doing so are not known right now.

I have some temporary workarounds for those who are not able to uninstall these updates.
It should be noted that admin privilege are required for both of these workarounds

Workaround 1:
As already stated by JulianFloyd-5310, one solution is to delete the volume of the desired drive in Disk Managment and then creating a volume again. After that you need to plug the USB drive out and in again. The BitLocker option should show up in the context menu of the USB drive after that.

Workaround 2:
Another solution is done with diskpart. Use this solution if you want to keep the contents of your USB drive.
Simply open a new cmd, type in diskpart and confirm adminprompt. In diskpart type in "list disk" and locate your USB drive. Select your USB drive with "select disk ###" (replace "###" with the desired number). Then type in "list partition" and select the primary partition with "select partition ###". After selecting both disk and partition, type in "inactive". Your drive should be set to inactive now and after plugging the USB stick out and in again, the BitLocker option should be available again.


I hope these infos and instructions help future victims of this problem.

Regards,
McK

· 7 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can confirm this issue with the missing external USB drives in BitLocker still exists in Windows 10, but at least the second workaround made the trick for me, so thanks a lot McK.

0 Votes 0 ·

With some of the flash drives, even after setting the partition to inactive, they still would not bitlocker.

0 Votes 0 ·

Your workaround 2 works like a charm, It's a shame Micorosft haven't provided an update to fix this mess

We found out that there were 2 updates that were causing 'Bitlocker To Go' to not recognize USBs on Windows 10 1909 machines: KB4577671 and KB4586786.

Has anyone heard anything from Microsoft yet regarding this issue? Could someone direct me as to how I can escalate this matter as well?

Regards,

DH

0 Votes 0 ·
McK-4268 avatar image McK-4268 DukeHazord-3998 ·

Hi Duke
We made an escalation back in November and just recently got an actual response. The mentioned Windows Updates blocked the option to activate BitLocker on USB-Sticks with an active partition. Here's their response:

Windows Engineering has decided to revert this change after finding out that several manufacturers are shipping USB Sticks with partitions marked as Active.

This issue should be gone after the next few updates.




0 Votes 0 ·

McK - Thanks! Workaround 2 was just what I needed!!

0 Votes 0 ·

I was having this issue on Window 10 v. 1909.

To resolve, I used Workaround #2: launched Diskpart in an elevated cmd prompt to set the partition on the USB drive to "inactive."

As far I could tell, KB4577671 is NOT installed on this system. I ran this command to get the full list of installed updates:

 wmic qfe list full /format:table

Could another update be causing the issue?





0 Votes 0 ·
Show more comments
ThomasHansen-2779 avatar image
0 Votes"
ThomasHansen-2779 answered ·

Any updates on this issue. We are experiencing this as well?

It would seem that this is the update that does it:
https://support.microsoft.com/en-in/help/4577069/windows-10-update-kb4577069

57459-image.png

So removing the active setting on the partition works. But that's not a solution as non admin users dont have access to that.

It would seem that all our new Kingston USB Sticks have an active partition from the factory.



image.png (26.0 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Thomas

We escalated this issue back in november and Microsoft recently responded by stating the following:

Windows Engineering has decided to revert this change after finding out that several manufacturers are shipping USB Sticks with partitions marked as Active.

We should see a fix in the coming weeks.

0 Votes 0 ·
ThomasHansen-2779 avatar image
0 Votes"
ThomasHansen-2779 answered ·

Hi McK-4268,

Thank you for the update. We will be looking forward to this.

I'm guessing there are not an ETA on this?

/Thomas

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Thomas

Nope, unfortunately no ETA.

McK

0 Votes 0 ·

This really is frustrating, having looked all over the web I still cant find a proper explanation from Microsoft about why this has happened and when they will fix it! Is there anyone from Microsoft here who can help?

0 Votes 0 ·