When utilizing the Symantec Endpoint Encryption 11 for Bitlocker (SEE BL), all drives whether fixed or removable could be encrypted by Bitlocker with no user password set.
This is resulting in external drives getting encrypted and locked by Bitlocker that would need to be unlocked by the Helpdesk. This continues until the user applies a password to their removable device.
Users will not be able to access their removable drives if they have not set a password on their own for these drives, which may not be obvious to do.
They will see in the managed Bitlocker screen in WIndows that their removable drive is "Locked"
Symantec Endpoint Encryption 11 managed Bitlocker client running on Windows 7 and Windows 10 clients.
Bitlocker needs a GPO to be Disabled to prevent encryption of removable drives.
Alternatively, a Bitlocker policy can be configured in GPO to allow the use of passwords for Bitlocker To Go:
Computer Configuration\Policies\AdministrativeTemplates\WindowsComponents\BitLocker Drive Encryption\Removable Data Drives\
1. Configure use of passwords for removable data drives
2. Choose how bitlocker protected drives can be recovered.
This issue is now resolved in Symantec Endpoint Encryption 11.1.3 so that regardless of GPO policy, the SEE BL client will no longer encrypt external USB drives with Bitlocker.
If upgrading is not immediately possible, follow the below guidelines:
If you do not want your Removable Drives encrypted by Bitlocker please configure the following GPO to be Disabled.
Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Control use of Bitlocker on removable drives.
If you have a locked drive that needs to be unlocked you will need to query the SEE Database and go through the HelpDesk recovery process. This process is described in detail in the Symantec Endpoint Encryption Policy Administrator Guide starting on page 248.
Once the drive is unlocked please have the user set a password for the Bitlocker to Go removable drive.
A Feature Request has been submitted to fully support Bitlocker To Go Recovery with the SEE BL client. For more information on this, see the following article: