search cancel

Symantec Endpoint Encryption 11 Bitlocker Encryption is Encrypting external USB\Removable Drives

book

Article ID: 164088

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

When utilizing the Symantec Endpoint Encryption 11 for Bitlocker (SEE BL), all drives whether fixed or removable could be encrypted by Bitlocker with no user password set.

This is resulting in external drives getting encrypted and locked by Bitlocker that would need to be unlocked by the Helpdesk.  This continues until the user applies a password to their removable device.

Users will not be able to access their removable drives if they have not set a password on their own for these drives, which may not be obvious to do.

They will see in the managed Bitlocker screen in WIndows that their removable drive is "Locked"

Environment

Symantec Endpoint Encryption 11 managed Bitlocker client running on Windows 7 and Windows 10 clients.

 

Cause

Bitlocker needs a GPO to be Disabled to prevent encryption of removable drives.  

Alternatively, a Bitlocker policy can be configured in GPO to allow the use of passwords for Bitlocker To Go:

Computer Configuration\Policies\AdministrativeTemplates\WindowsComponents\BitLocker Drive Encryption\Removable Data Drives\

1. Configure use of passwords for removable data drives
2. Choose how bitlocker protected drives can be recovered.

Resolution

This issue is now resolved in Symantec Endpoint Encryption 11.1.3 so that regardless of GPO policy, the SEE BL client will no longer encrypt external USB drives with Bitlocker.

If upgrading is not immediately possible, follow the below guidelines:

If you do not want your Removable Drives encrypted by Bitlocker please configure the following GPO to be Disabled.

Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Control use of Bitlocker on removable drives.

If you have a locked drive that needs to be unlocked you will need to query the SEE Database and go through the HelpDesk recovery process.  This process is described in detail in the Symantec Endpoint Encryption Policy Administrator Guide starting on page 248.

Once the drive is unlocked please have the user set a password for the Bitlocker to Go removable drive.

A Feature Request has been submitted to fully support Bitlocker To Go Recovery with the SEE BL client.  For more information on this, see the following article:

FEATURE REQUEST: Support BitLocker on USB drives and full Helpdesk recovery for 8-bit recovery for BitLocker To Go

Attachments

symcEE_11.1.0_PolicyAdmin_en.pdf get_app
Locked.JPG get_app
GPO Image.JPG get_app