BitLocker Drive Encryption (“BitLocker”) is Microsoft’s encryption software. It can be used to encrypt OS and other internal drives, as well as Windows Server 2012 and later. For encrypting removable media, BitLocker To Go is available. BitLocker is available with Windows 10 Pro, Education and Enterprise editions.
Microsoft provides the following selected documentation for BitLocker, and its implementation via Intune:
BItLocker To GO FAQ (possibly the shortest FAQ in Microsoft documentation)
Additional Troubleshooting tips for Intune BitLocker deployment (Thanks J.C. Hornbeck!)
As with all things Windows, BitLocker settings are controlled by Registry Keys and Values.
*OBLIGATORY REGEDIT REMINDER*
“Serious problems might occur if you modify the registry incorrectly. Before you modifying, back up the registry for restoration in case problems occur.”
Now that that’s out of the way…
Microsoft and Windows are not the only software vendors that can control access to BitLocker. Other third-party security software can also leverage or even intentionally disable BitLocker options.
And sometimes this behavior is undocumented.
I did not discover some undocumented behavior until we were transitioning Removable Media encryption from a third-party security solution to Microsoft Intune. First I removed all of the third-party’s software from my test device, then I followed all of the published Microsoft documentation to create an Intune policy requiring BitLocker encryption for removeable media. I validated the successful deployment of the policy in Intune, then plugged in a removeable USB drive into the device and…
Damn. My device sees and recognizes the removable media, but BitLocker doesn’t. Also the “Turn on BitLocker” menu context is not available for the drive in Windows Explorer.
After some digging and some Bing searches, I was able to identify the location of some of the registry keys that control BitLocker behavior (shout-out to Shawn Brink on TenForums!).
One parameter in this hive seemed related to me:
Looks a bit like “Removeable DriVe Allow BitLocker Drive Encryption”, but I’m sure it’s more complicated than that.
The value for this was set at 0. After backing up my registry, I changed the value to 1, closed the BitLocker Management window, and removed and re-inserted my removable drive and opened BitLocker Management:
There it is!
After some further research and validation, we confirmed that our third-party software was setting this registry entry.
A PowerShell script for flipping this registry value is available in my GitHub repo at the link below. Also posted in this repo are additional commands for creating or otherwise modifying other BitLocker registry values.
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\FVE" -Name "RDVAllowBDE" -Value "1"
Import BLTG-ON.ps1 into your Intune Scripts and deploy as needed. Need help with Intune PowerShell script deployment? Review this Microsoft provided documentation and keep following Configure This!
A post from Configure This! co-author Winston Hinton about deploying BitLocker in MEM-CM