Start Free Trial

asked on

server 2012 R2 bitlocker autounlock works on some drives and no on others

I am setting up some USB hard disks for backup on Server 2012 R2

I don't really want to bitlock the operating system disk, just the removable ones.

None of them wanted to auto-unlock.

So I ran manage-bde -autounlock - enable e:
The result was this, and autounlock is turned on.

BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:
External Key:
ID: {302040EC-831A-4ADD-A3E2-XXXXXXXXXXX}
External Key File Name:
302040EC-831A-4ADD-A3E2-XXXXXXXXXXX.BEK
Automatic unlock enabled.

Then I ran
manage-bde -autounlock - enable f:

f: is an identical external drive...

The response was
BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

ERROR: An error occurred (code 0x80310020):
The operating system drive is not protected by BitLocker Drive Encryption.

Can someone tell my why I can enable autounlock on one drive and not on the others?

It says in

ERROR: An error occurred (code 0x80310020):
The operating system drive is not protected by BitLocker Drive Encryption.

that the drive is not encrypted. Maybe you want first to enable BitLocker on this drive and then re-use the command again?

ASKER

Drive is encrypted. I have to put the password in each time I connect it.

Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
----- ---------- ------------ ---------- ------------ ---------- ----------
E: 1,862.98 FullyEncrypted 100 {Password, RecoveryPas... False On

ASKER

As I said above the OS drive is not encrypted and I don't want to encrypt it, I want to encrypt the removable drives.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Can you pls take a screen shot of your Windows Disk Management and post it here?

ASKER

I can eject the disks, so I am pretty sure they are considered removable.
I have brought them all here to plus into a test system, so as soon as I have time (later today) I will plug them in again and do a screen shot. But they looked identical to me.
This is server 2012R2 and I will be mounting the disks on VMs so it is quite different from Windows 8.

So it's a Hyper-V guest machine you would like to connect these disks to? Sorry, but please make that clear so that we can advance. What OS does the guest run?
If you need a quick solution: mount it via script. manage-bde.exe can be used together with the recovery key to mount disks scripted.

ASKER

I first need to connect to the underlying OS with autounlock.
Then some of the disks will be mounted some not. But if they don't autounlock I can't mount them.

Hence my question about autounlock.

The info about Hyper-V is just because a Windows8 type workstation answer is not what I need,

ASKER

It is not urgent and I know I can script it.

ASKER

The offending disks are Disk 2 and Disk 3. As you can see they all look identical.
Disk 5 is the same sort of disk but it does autounlock.

If I put in the password I can use the disk...

Command line is no better.
Autounlock-not-available-on-E.JPG

"The info about Hyper-V is just because a Windows8 type workstation answer is not what I need" - this means win8 is completely different here? No it is the same code as 2012 when it comes to bitlocker and it does feature hyper-V as well... anyway.
Your screenshot shows disk 3 is offline, it will not be mountable unless you set it to online. About disk2: what do you get from
manage-bde -status e:
?

ASKER

two-more-the-one-at-F-will-autounlock-E-

ASKER

Yes I know disk 3 is offline. When I put it online I get the prompt for the bitlocker password.

That's the problem.

ASKER

ASKER

Last screenshot is the manage-bde status of two disks (there are more).
One will autounlock, the other will not.
Tested on two different servers in two domains.

ASKER

Just noticed one is not encrypted.. Will find another!

And with both disks online,
manage-bde -autounlock - enable e:
and
manage-bde -autounlock - enable f:
right now both don't work? In your first posting, you wrote e: yes, f: no, now e: has no autunlock config anymore - I guess it's a different server you connect it to, right?

Edit... so one is not encrypted? That explains a lot... ;)

ASKER

Now they have all decided to work on one server. So I will take them back to the other server.

The difference between the servers is that one is a new install and one an upgrade from 2008.

ASKER

I am completely mystified. I will plug them into another server and see.

ASKER

Wnother upgraded server.
So I guess it is OK or hardware specific.

ASKER

Cat on the keyboard. Plugged them all into another upgrades server and they will all autounlock.
I have to think it is hardware of OS specific.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

The error message again says that it expects the OS drive to be encrypted to allow autounlock. That would mean, your drive is seen as fixed on that machine. Did you check again that it's not?

ASKER

The two manage-bde above screenshots are from two drives on the SAME machine. They are done immediately after each other in the same powershell session.

What I am trying to understand is whey I can manage autounlock on one drive and not on the other.

Now I have reformatted one of the problem drives and I am re-bitlocking it.

All these drives appear as USB devices. They all appear identical.
disk-manager-4-identical-drives.JPG
4-USB-devices-which-are-the-4-drives.JPG

ASKER

format / re-bitlock makes no difference.
How do I change these disks to removable ones?

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

So you've decided that they are online now?
I'll just have to do more testing...

ASKER

OK it is actually not a bitlocker problem but the fact that the disks get recorded as non-removable.
It is not cable related, nor USB port related and gets worse with time,

When plugged into a desktop system (WIN8.1 update) they are always removable.

On servers it seems to be variable.

All the disks are recorded in the registry in multiple places, in old ControlSets

Still no idea how to resolve this.

I think it is more likely WD that Microsoft that is at fault.

That's what I told you, the symptoms pointed in that direction.
May I ask what the autounlocking should be good for? It won't work unless someone logs on at the console, anyway, so useless for scripted backups.

ASKER

Autounlock perfect for scripted backups - when you set up the backup you put in the password and check the autounlock.
Then that disk is automatically unlocked by the OS from then on without anyone logging on.
It means I can set up a backup and have a user rotate the disks each day.
Works perfectly except for this problem with autounlock.

Fine, I verified that and it seems the info I relied upon was wrong - autounlock requires no logon.

So, how to declare them removable? You are right, I would also ask WD. Maybe a different disk firmware will behave differently.

ASKER

Not much help from WD, they work fine on Windows Server 2008R2 just not on server 2012R2

Tried the firmware update, or none available?

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Well, so resign and use the workaround (automated unlock using the recovery key in a script) or call Microsoft's bug people.

ASKER

Really complicated mess involving WD and MS
No consistent solution. Requires a big investment of time which I do not have at the moment