question

DetalJohn-9136 avatar image
0 Votes"
DetalJohn-9136 asked JJones-4785 commented

Bitlocker encryption on USB only works after volume removal

Hello,

When connecting new USB sticks to a laptop, our users cannot encrypt using Bitlocker. They get the error: the drive cannot be encrypted because it contains system boot information. Create a separate partition...

This issue persists after changing from FAT32 to NTFS, quick format, full format... It's happening for all USB sticks, not one specific type.

When deleting the volume and creating a new volume in diskmgmt.msc, encryption is possible without issue. However it's not possible as administrator to do this for every USB for all users in the company. What could be causing this and how could this be resolved?

Thanks in advance.

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTG-3890 avatar image
0 Votes"
MTG-3890 answered

I distribute the Bitlocker-encrypted USB sticks in our company. Recently, for the first time, I had the same problem, with 2 different sticks even. I could reproduce the problem at all times on any current windows machine (Win10 20H2).
The solution was to use diskpart clean on these devices.

The possible reason for this behavior: these sticks had been used as boot sticks for portable Linux before and had just been quick formatted which somehow left things behind that Bitlocker did not like at all.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DetalJohn-9136 avatar image
0 Votes"
DetalJohn-9136 answered JohnCromer-8408 commented

In my case the USB sticks are new out of the box and have never been used as bootable USB's. Also on some older USB devices the same issue persists...
Unfortunately, it's not possible to ask users to perform a diskpart, as they are not admin's and this is too complicated and not userfriendly.
I manage 5000 users, so it's not possible to remediate each USB stick separately by myself...

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Since I used BL on sticks for years and I have never had that before (although I often quick format some Linux boot stick and then bitlock it), I suspect this is a problem either with a recent windows update of 20H2 or even with all recent win10 versions. I took such a stick and could not reproduce the problem on an unpatched Win10 2004 (Build 19041..264).
Please try on an earlier version. Maybe together we can work out which patch introduced that behavior. I guess either the october or the november CU.

0 Votes 0 ·

My machine is on 20h2 and I can reproduce the issue, however the impacted users are still on 1903. To me this means that the issue is for all recent w10 versions.

I've checked the updates installed on those machines in the days before the issue appeared:
KB4580325
KB4577670
KB4578974
KB4517245

0 Votes 0 ·

Hi, I don't suppose you found a workable solution to this did you? I found since installing KB4577671 in October that we have this issue and the only workaround is to diskpart on the user's behalf by elevating a command prompt. November and December Windows updates have not resolved the issue.

1 Vote 1 ·
Show more comments

Hi, @DetalJohn-9136
Was the issue resolved?
If any reply is useful for you, please accept it as answer.
If you have any issue or concern, please reply to us directly.
Best Regards.

0 Votes 0 ·
MTG-3890 avatar image
0 Votes"
MTG-3890 answered

As said, uninstall the november CU, then the october CU and reboot and test.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaleKudusi-MSFT avatar image
3 Votes"
DaleKudusi-MSFT answered DetalJohn-9136 commented

Hi,
You could try using use DISKPART to set the partition you wish to encrypt as INACTIVE. This will allow you to Encrypt with Bitlocker. See below screenshot that shows marking a Partition on a USB Flash Drive as INACTIVE.

45528-picture1.png

Also, have you tried uninstalling the October Update in 20H2, September Update and later in 1903 as suggested above by MTG-3890?

Best regards.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



picture1.png (79.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Uninstalling the cumulative updates does not solve the issue. It has been ongoing for several months now. When will this be resolved?!

0 Votes 0 ·
JohnCromer-8408 avatar image
0 Votes"
JohnCromer-8408 answered JohnCromer-8408 published

Uninstalling November, October, September update did not resolve the issue unfortunately.
Diskpart is no solution. As stated before, support cannot perform this action every time one of the 5000 users wants to encrypt a USB stick. I can remediate it with diskmgmt, but this does not resolve the issue for different USB sticks, only for the one in question.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CD-8826 avatar image
0 Votes"
CD-8826 answered

Any answer yet from Microsoft on patching this? The Diskpart solution does of course work, but it would be nice to have a more scalable answer to this issue. It also has to be manually done for each individual USB drive inserted into the machine. I haven't found any combination of installing/uninstalling updates to fix this issue. It's happening on both Win10 1909 and 2004 in my environment.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LennardKjartanChristensen-6213 avatar image
0 Votes"
LennardKjartanChristensen-6213 answered CD-8826 commented

We are experiencing the same problem. If a computer has been inplace upgraded from Windows 1809 -> Windows 1909 we get the error: "The drive cannot be encrypted because it contains system boot information. Create a separate partition..." when we try use bitlocker on a new usb stick. After diskpart clean, we are able to use bitlocker on the usb stick.

If we do a clean install with Windows 1909 on the same computer - we do not get the error when we try to use bitlocker on new usb stick.

Anyone found at way to fix this issue without diskpart clean or do a clean install of Windows 1909?

Update: When we inplace to Windows 10 20H2 - the issue is gone :-)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Unfortunately, we are still seeing this issue persist after doing in-place upgrades to 20H2.

0 Votes 0 ·
ThomasHansen-2779 avatar image
0 Votes"
ThomasHansen-2779 answered

Any updates on this issue. We are experiencing this as well?

It would seem that this is the update that does it:
https://support.microsoft.com/en-in/help/4577069/windows-10-update-kb4577069
55782-image.png



So removing the active setting on the partition works. But that's not a solution as non admin users dont have access to that.

It would seem that all our new Kingston USB Sticks have an active partition from the factory.


image.png (26.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DetalJohn-9136 avatar image
0 Votes"
DetalJohn-9136 answered WimVanHolder-7834 published

The issue is still not resolved unfortunately.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
A fix to this issue can be expected soon.
I will watch closely to this issue, If there is any related update, I will let you know.
I want to thank you for your useful suggestion and patience along the way.

0 Votes 0 ·

Hello @DaleKudusi-MSFT

Any update on the fix?

Thanks

Wim

0 Votes 0 ·

Hello @DaleKudusi-MSFT

Any update on the fix?

Thanks

Wim

0 Votes 0 ·
StephanieQ-2958 avatar image
0 Votes"
StephanieQ-2958 answered

We are suddenly experiencing this same issue and have not year found a resolution. I'm very interested if anyone has gotten any answers.
I've checked our environment and cannot see that the MS Update listed above is installed. We are on 1909, and fortunately don't have a significant amount of USB/External Media usage, but enough that this is a serious issue. Using DISKPART on all USB drives is definitely not a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.