“Access Denied” when encrypting a memory stick with BitLocker

At a customer this week, where BitLocker To Go is mandatory on Windows 7 machines, we discovered a problem encrypting USB memory sticks (flash drives). With the GPO settings at the customer, BitLocker To Go detects when a removable disk is plugged in to the machine, and prompts the user to either encrypt the drive or mount it read-only.

When you select the option to encrypt the drive, BitLocker then encrypts the whole disk (rather than just the files). At our customer however, when doing this over VMware View 4.5 USB redirection in an RDP session, the user was rewarded with “Access Denied” instead.

With PCoIP, it worked fine. It also works fine on RDP if you are an administrator. We quickly established that what looked at first like a USB redirection issue was in fact environment specific. We were able to encrypt the drive without issue in our test lab over both PCoIP and RDP. A day or so of fun inside Process Monitor and the (non-obvious) answer was found:

Set a DWORD called
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\AllowRemoteDASD
with the value
1

Fortunately there’s a corresponding GPO setting for this: Go to Computer Configuration > Administrative Templates > System > Removable Storage Access > All Removable Storage and set Allow direct access in remote sessions to Enabled.

We set that, rebooted and BitLocker then worked fine. PCoIP seems to be unaffected by this issue, likely because it’s not a remote session/separate session in the same way an RDP session is.

Credit for the hard work goes to my colleague Reno Finch. Well done, Reno.

Ian Gibbs

Ian works for Virtual Clarity who consult on enterprise scale virtualisation.

Virtual Clarity Logo

Be Sociable, Share!

    Comments

    1. says

      Thank you this solved my problem. Currently doing some self-studying of Windows 7 over an RDP session but I discover that some of the features taught in the exam material don’t work over an RDP session. This was one of them.

    2. BJ says

      Thanks, almost a year later, and this has answered my question about why I couldn’t get a new PC I’m setting up (via RDP from the old PC) to remember the bitlocker password for a USB Drive.

      If I dive out of RDP and onto the desktop, I can force the remember the password option.

      Google pagerank kudos to you.

    3. vishvdip says

      HI, i was using windows 7 and i locked D drive with bit locker. now i am using windows 8 and before system change i had unlocked my D drive turn off the bit locker. now in windows 8 my access to D drive is denied. i can not open my D drive. plz help me out of this. plz help me…!

    4. Private says

      Thanks for posting this information – I hadn’t even considered the issue of RDP-based redirection as the problem with direct disk access!

    Leave a Reply