server 2012 R2 bitlocker autounlock works on some drives and no on others

I am setting up some USB hard disks for backup on Server 2012 R2

I don't really want to bitlock the operating system disk, just the removable ones.

None of them wanted to auto-unlock.

So I ran manage-bde -autounlock - enable e:
The result was this, and autounlock is turned on.

BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:
    External Key:
      ID: {302040EC-831A-4ADD-A3E2-XXXXXXXXXXX}
      External Key File Name:
        302040EC-831A-4ADD-A3E2-XXXXXXXXXXX.BEK
      Automatic unlock enabled.

Then I ran
manage-bde -autounlock - enable f:

f: is an identical external drive...

The response was
BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: An error occurred (code 0x80310020):
The operating system drive is not protected by BitLocker Drive Encryption.

Can someone tell my why I can enable autounlock on one drive and not on the others?
LVL 16
Carol ChisholmAsked:
Who is Participating?
 
Carol ChisholmAuthor Commented:
No solution, we may know the cause, but it is very inconsistent.
0
 
noxchoGlobal Support CoordinatorCommented:
It says in
ERROR: An error occurred (code 0x80310020):
The operating system drive is not protected by BitLocker Drive Encryption.
that the drive is not encrypted. Maybe you want first to enable BitLocker on this drive and then re-use the command again?
0
 
Carol ChisholmAuthor Commented:
Drive is encrypted. I have to put the password in each time I connect it.

Mount CapacityGB VolumeStatus           Encryption KeyProtector              AutoUnlock Protection
Point                                   Percentage                           Enabled    Status
----- ---------- ------------           ---------- ------------              ---------- ----------
E:      1,862.98 FullyEncrypted         100        {Password, RecoveryPas... False      On
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Carol ChisholmAuthor Commented:
As I said above the OS drive is not encrypted and I don't want to encrypt it, I want to encrypt the removable drives.
0
 
McKnifeCommented:
Carol, something is fishy. Please read http://www.eightforums.com/tutorials/21270-bitlocker-auto-unlock-turn-off-windows-8-a.html (it is for win8, but same for server 2012 R2)
Quote: To be able to automatically unlock fixed data drives, the OS drive that Windows 8 is installed on must also be encrypted by BitLocker.
 Automatic unlocking for removable data drives can be selected after the drive is encrypted without requiring the OS drive to also be encrypted by BitLocker
--
See the difference? Could it be that windows wrongly identified one of those drives as fixed drive? Please try to find that out. You will be able to do so by conbnecting it and looking at the eventually present icon in the system tray (that icon would let you eject the removable drive). Is it there? It has to.
0
 
noxchoGlobal Support CoordinatorCommented:
Can you pls take a screen shot of your Windows Disk Management and post it here?
0
 
Carol ChisholmAuthor Commented:
I can eject the disks, so I am pretty sure they are considered removable.
I have brought them all here to plus into a test system, so as soon as I have time (later today) I will plug them in again and do a screen shot. But they looked identical to me.
This is server 2012R2 and I will be mounting the disks on VMs so it is quite different from Windows 8.
0
 
McKnifeCommented:
So it's a Hyper-V guest machine you would like to connect these disks to? Sorry, but please make that clear so that we can advance. What OS does the guest run?
If you need a quick solution: mount it via script. manage-bde.exe can be used together with the recovery key to mount disks scripted.
0
 
Carol ChisholmAuthor Commented:
I first need to connect to the underlying OS with autounlock.
Then some of the disks will be mounted some not. But if they don't autounlock I can't mount them.

Hence my question about  autounlock.

The info about Hyper-V is just because a Windows8 type workstation answer is not what I need,
0
 
Carol ChisholmAuthor Commented:
It is not urgent and I know I can script it.
0
 
Carol ChisholmAuthor Commented:
The offending disks are Disk 2 and Disk 3. As you can see they all look identical.
Disk 5 is the same sort of disk but it does autounlock.

If I put in the password I can use the disk...

Command line is no better.
Autounlock-not-available-on-E.JPG
0
 
McKnifeCommented:
"The info about Hyper-V is just because a Windows8 type workstation answer is not what I need" - this means win8 is completely different here? No it is the same code as 2012 when it comes to bitlocker and it does feature hyper-V as well... anyway.
Your screenshot shows disk 3 is offline, it will not be mountable unless you set it to online. About disk2: what do you get from
manage-bde -status e:
?
0
 
Carol ChisholmAuthor Commented:
0
 
Carol ChisholmAuthor Commented:
Yes I know disk 3 is offline. When I put it online I get the prompt for the bitlocker password.

That's the problem.
0
 
Carol ChisholmAuthor Commented:
0
 
Carol ChisholmAuthor Commented:
Last screenshot is the manage-bde status of two disks (there are more).
One will autounlock, the other will not.
Tested on two different servers in two domains.
0
 
Carol ChisholmAuthor Commented:
Just noticed one is not encrypted.. Will find another!
0
 
McKnifeCommented:
And with both disks online,
manage-bde -autounlock - enable e:
and
manage-bde -autounlock - enable f:
right now both don't work? In your first posting, you wrote e: yes, f: no, now e: has no autunlock config anymore - I guess it's a different server you connect it to, right?

Edit... so one is not encrypted? That explains a lot... ;)
0
 
Carol ChisholmAuthor Commented:
Now they have all decided to work on one server. So I will take them back to the other server.

The difference between the servers is that one is  a new install and one an upgrade from 2008.
0
 
Carol ChisholmAuthor Commented:
I am completely mystified. I will plug them into another server and see.
0
 
Carol ChisholmAuthor Commented:
Wnother upgraded server.
So I guess it is OK or hardware specific.
0
 
Carol ChisholmAuthor Commented:
Cat on the keyboard. Plugged them all into another upgrades server and they will all autounlock.
I have to think it is hardware of OS specific.
0
 
Carol ChisholmAuthor Commented:
OK so it is a hardware or OS specific problem, the problem server is a Proliant G9 with a fresh install of 2012 R2 SP1, The other servers were a G7 and a G6 with 2012 R2 SP1 upgraded from 2008R2.


I have plugged in 4 external disks
2 will autounlock, 2 will not, but I can unlock them by typing the password.disk I does not allow autounlock
Once I have unlocked manually I can run manage-bde -status
Volume G: [Label Unknown]
[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        Password
        Numerical Password
        External Key

Volume H: [daily backup EX107 4]
[Data Volume]

    Size:                 1862.98 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Enabled
    Key Protectors:
        Password
        Numerical Password
        External Key (Required for automatic unlock)
        External Key
        External Key

Volume J: [Label Unknown]
[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        Password
        Numerical Password
        External Key
        External Key

Volume E: []
[Data Volume]

    Size:                 1862.98 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Enabled
    Key Protectors:
        Password
        Numerical Password
        External Key
        External Key
        External Key
        External Key
        External Key
        External Key
        External Key
        External Key
        External Key (Required for automatic unlock)

Volume I: [WEEK 1 VM]
[Data Volume]

    Size:                 1862.98 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        Password
        Numerical Password
        External Key
        External Key

So then I try to enable autounlock on I see second screen shot with the error about the operating system drive not being protected. However two of the 4 drives can be autounlocked. autounlock files on one drive
The two "good" drives can be managed: "good" drive management
0
 
McKnifeCommented:
The error message again says that it expects the OS drive to be encrypted to allow autounlock. That would mean, your drive is seen as fixed on that machine. Did you check again that it's not?
0
 
Carol ChisholmAuthor Commented:
The two manage-bde above screenshots are from two drives on the SAME machine. They are done immediately after each other in the same powershell session.

What I am trying to understand is whey I can manage autounlock on one drive and not on the other.

Now I have reformatted one of the problem drives and I am re-bitlocking it.

All these drives appear as USB devices. They all appear identical.
disk-manager-4-identical-drives.JPG
4-USB-devices-which-are-the-4-drives.JPG
0
 
Carol ChisholmAuthor Commented:
format / re-bitlock makes no difference.
How do I change these disks to removable ones?
0
 
McKnifeCommented:
Carol, if you have identical disks that don't behave identical when it comes to bitlocking them, then its either a bug in bitlocker or a hardware error on the offending disk or its connection to the system. The latter can be ruled out by
A using the same disk on another system and
B using another disk on the same cable of the system that has pproblems.
So if it's no hardware problem, what are you gonna do about it? Call MS for a support case. We ourselves cannot convince Bitlocker to operate any better, can we?
0
 
Carol ChisholmAuthor Commented:
So you've decided that they are online now?
I'll just have to do more testing...
0
 
Carol ChisholmAuthor Commented:
OK it is actually not a bitlocker problem but the fact that the disks get recorded as non-removable.
It is not cable related, nor USB port related and gets worse with time,

When plugged into a desktop system (WIN8.1 update) they are always removable.

On servers it seems to be variable.

All the disks are recorded in the registry in multiple places, in old ControlSets

Still no idea how to resolve this.

I think it is more likely WD that Microsoft that is at fault.
0
 
McKnifeCommented:
That's what I told you, the symptoms pointed in that direction.
May I ask what the autounlocking should be good for? It won't work unless someone logs on at the console, anyway, so useless for scripted backups.
0
 
Carol ChisholmAuthor Commented:
Autounlock perfect for scripted backups - when you set up the backup you put in the password and check the autounlock.
Then that disk is automatically unlocked by the OS from then on without anyone logging on.
It means I can set up a backup and have a user rotate the disks each day.
Works perfectly except for this problem with autounlock.
0
 
McKnifeCommented:
Fine, I verified that and it seems the info I relied upon was wrong - autounlock requires no logon.

So, how to declare them removable? You are right, I would also ask WD. Maybe a different disk firmware will behave differently.
0
 
Carol ChisholmAuthor Commented:
Not much help from WD, they work fine on Windows Server 2008R2 just not on server 2012R2
0
 
McKnifeCommented:
Tried the firmware update, or none available?
0
 
McKnifeCommented:
Well, so resign and use the workaround (automated unlock using the recovery key in a script) or call Microsoft's bug people.
0
 
Carol ChisholmAuthor Commented:
Really complicated mess involving WD and MS
No consistent solution. Requires a big investment of time which I do not have at the moment
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.