Posted in: Intune, Scripts/Tools

Configure This: BitLocker To Go Registry Key

BitLocker Drive Encryption (“BitLocker”) is Microsoft’s encryption software.  It can be used to encrypt OS and other internal drives, as well as Windows Server 2012 and later.  For encrypting removable media, BitLocker To Go is available.  BitLocker is available with Windows 10 Pro, Education and Enterprise editions.

Microsoft provides the following selected documentation for BitLocker, and its implementation via Intune:

BitLocker General Information

BitLocker policies for Windows 10 devices managed by Intune

Managing BitLocker using the Configuration Service Provider (CSP)

BItLocker To GO FAQ (possibly the shortest FAQ in Microsoft documentation)

Troubleshooting Intune BitLocker deployment

Additional Troubleshooting tips for Intune BitLocker deployment (Thanks J.C. Hornbeck!)

As with all things Windows, BitLocker settings are controlled by Registry Keys and Values.

*OBLIGATORY REGEDIT REMINDER*

“Serious problems might occur if you modify the registry incorrectly. Before you modifying, back up the registry for restoration in case problems occur.”

Now that that’s out of the way…

Microsoft and Windows are not the only software vendors that can control access to BitLocker.  Other third-party security software can also leverage or even intentionally disable BitLocker options.

And sometimes this behavior is undocumented.

I did not discover some undocumented behavior until we were transitioning Removable Media encryption from a third-party security solution to Microsoft Intune.  First I removed all of the third-party’s software from my test device, then I followed all of the published Microsoft documentation to create an Intune policy requiring BitLocker encryption for removeable media. I validated the successful deployment of the policy in Intune, then plugged in a removeable USB drive into the device and…

Manage 
Drive Tools 
This pc 
X BitLccker Drive En crypti on 
Computer 
* Quick access 
Desktop 
Downloads 
Documents 
[e] Pictures 
Music 
Videos 
OneDrive 
This pc 
USB Drive (8) 
Network 
View 
This pc 
O 
Search This PC 
Desktop 
Downloads 
Pictures 
DVD Drive 
Open in new window 
Pin to Quick access 
Open AutoPlay... 
Scan with Microsoft Defender... 
Give access to 
Open as Portable Device 
Include in library 
Pin to Start 
Copy 
Create shortcut 
Rename 
Pro perties 
System 
Control Panel Home 
See also 
TPM Administration 
Disk Management 
Privacy statement 
8itLocker Drive Encryption 
BitLocker Drive Encryption 
Help protect your files and folders from unauthorized access by protecting your drives with 8itLocker. 
Operating system drive 
C: BitLocker off 
Turn on 8itLocker 
Fixed data drives 
Removable data drives - BitLocker To Go 
Insert a removable USB flash drive to use 8itLocker To Go. 
PM 
7/19/2020 
O 
v Folders (7) 
3D Objects 
Documents 
Music 
v Devices and drives (3) 
Local Disk (C:) 
25.1 G8freecf5g.1 
USB Drive (8) 
484 free of 485 MB 
v Network locations (1) 
Shared Folders N\vmware- host) 
Il items I item selected 
p Type here to search
BitLocker To Go Fail

Damn.  My device sees and recognizes the removable media, but BitLocker doesn’t. Also the “Turn on BitLocker” menu context is not available for the drive in Windows Explorer.

After some digging and some Bing searches, I was able to identify the location of some of the registry keys that control BitLocker behavior (shout-out to Shawn Brink on TenForums!).

HKLM:\Software\Policies\Microsoft\FVE

One parameter in this hive seemed related to me:

RDVAllowBDE

Looks a bit like “Removeable DriVe Allow BitLocker Drive Encryption”, but I’m sure it’s more complicated than that.

The value for this was set at 0.  After backing up my registry, I changed the value to 1, closed the BitLocker Management window, and removed and re-inserted my removable drive and opened BitLocker Management:

Manage 
Drive Tools 
This pc 
X BitLccker Drive En crypti on 
Computer 
* Quick access 
Desktop 
Downloads 
Documents 
[e] Pictures 
Music 
Videos 
OneDrive 
This pc 
USB Drive (8) 
Network 
View 
This pc 
O 
System 
Open in new window 
Pin to Quick access 
Turn on 81tLocker 
Open AutoPlay... 
Scan with Microsoft Defender... 
Give access to 
Open as Portable Device 
Include in library 
Pin to Start 
Copy 
Create shortcut 
Rename 
Pro perties 
8itLocker Drive Encryption 
BitLocker Drive Encryption 
Help protect your files and folders from unauthorized access by protecting your drives with 8itLocker. 
Operating system drive 
C: BitLocker off 
Turn on 8itLocker 
Fixed data drives 
Removable data drives - BitLocker To Go 
E: BitLocker off 
Turn on 8itLocker 
PM 
7/19/2020 
O 
v Folders (7) 
3D Objects 
Documents 
Music 
v Devices and drives (3) 
Local Disk (C:) 
25.1 G8freecf5g.1 
USB Drive (8) 
484 free of 485 MB 
v Network locations (1) 
Shared Folders N\vmware- host) 
Control Panel Home 
See also 
TPM Administration 
Disk Management 
Privacy statement 
Il items I item selected 
p Type here to search
BitLocker To Go Success!

There it is!

After some further research and validation, we confirmed that our third-party software was setting this registry entry.

A PowerShell script for flipping this registry value is available in my GitHub repo at the link below.  Also posted in this repo are additional commands for creating or otherwise modifying other BitLocker registry values.

https://github.com/entish-tyler/BitLocker

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\FVE" -Name "RDVAllowBDE" -Value "1"

Import BLTG-ON.ps1 into your Intune Scripts and deploy as needed.  Need help with Intune PowerShell script deployment?  Review this Microsoft provided documentation and keep following Configure This!

https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

COMING SOON:

A post from Configure This! co-author Winston Hinton about deploying BitLocker in MEM-CM

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.