Why is BitLocker unable to encrypt Removable Drives via MBAM?
Fixed Data Drives refer to non-removable storage drives installed in a PC such as internal hard drives (HDDs) or solid-state drives (SSDs). Unlike removable drives (like USB flash drives). Fixed drives are used to store data, applications, and the operating system. In this article, we shall discuss how to resolve ‘Why is BitLocker unable to encrypt Removable Drives via MBAM?”. Please see Why does MBAM not automatically re-encrypt MBAM or Bitlocker-protected devices and how does Key Rotation work in MBAM?
It makes sense to differentiate between the Operating System Drive and Data drive. The operating System Drive is a volume where the operating system (OS) is installed. This drive contains all the necessary files for the OS to function, including system files, drivers, and core applications.
While the Data Drive is a separate storage volume used primarily for storing user data. This includes applications, and files that do not directly affect the operating system’s functionalities.
Scenario 1: OS Volume Encrypted
As you can see from the image below, the OS volume is encrypted correctly but the Removable Drive (volume E and D) are not. This is NOT an issue and does not need to be fixed as we only have policies configured for the OS drives and Data drives.
This is because, we have not configured MBAM/BitLocker polices to have removable drives encrypted.
As you can see from the Enterprise Compliance Report, there are no errors. Only the OS drive is available and encrypted.
Note: If the OS drives were encrypted and then the data drives aren’t. Then this would have been an issues and this could be as a result of the device not in contact with the domain. Re-apply GPO to fix this issue.
Please see How to prevent installation of removable devices, How to restrict access to removable Storage Drives, and how to Disable and Enable USB Usage for Certain Users in Windows.
OS Drive, Data Drive Encrypted: But not Removable Drives
Note: in the world of MBAM, the OS drives and fixed drives will be encrypted when the agent is installed. But will never encrypt external drives such as USB or hard disk etc.
The Volume E is a USB drive and as mentioned above. I have not configured Group Polices to target these external drives and have them encrypted.
Please see how to Deny execute access: Restrict Access to USB Drives on Windows, and how to link a removable media to a Deployment Share: Replicate Deployment share to a removable device.
FAQs
Does BitLocker Drive Encryption require initial encryption?
BitLocker Drive Encryption does not require a pre-installation of BitLocker on your end device. Else, the Trellix Drive Encryption will not start due to incompatibility.
What features does the Trellix Native Encryption provide?
The solution identifies unprotected Windows or Mac devices, deploys agents based on configured policies, stores audit and logging information within the MVISION ePO or McAfee ePO console, and allows you to specify new encryption policies at any organizational level to address specific use cases.
I hope you found this article very useful on “Why is BitLocker unable to encrypt Removable Drives via MBAM?”. Please feel free to leave a comment below.
