At a customer this week, where BitLocker To Go is mandatory on Windows 7 machines, we discovered a problem encrypting USB memory sticks (flash drives). With the GPO settings at the customer, BitLocker To Go detects when a removable disk is plugged in to the machine, and prompts the user to either encrypt the drive or mount it read-only.
When you select the option to encrypt the drive, BitLocker then encrypts the whole disk (rather than just the files). At our customer however, when doing this over VMware View 4.5 USB redirection in an RDP session, the user was rewarded with “Access Denied” instead.
With PCoIP, it worked fine. It also works fine on RDP if you are an administrator. We quickly established that what looked at first like a USB redirection issue was in fact environment specific. We were able to encrypt the drive without issue in our test lab over both PCoIP and RDP. A day or so of fun inside Process Monitor and the (non-obvious) answer was found:
Set a DWORD called
with the value
Fortunately there’s a corresponding GPO setting for this: Go to Computer Configuration > Administrative Templates > System > Removable Storage Access > All Removable Storage and set Allow direct access in remote sessions to Enabled.
We set that, rebooted and BitLocker then worked fine. PCoIP seems to be unaffected by this issue, likely because it’s not a remote session/separate session in the same way an RDP session is.
Credit for the hard work goes to my colleague Reno Finch. Well done, Reno.
Ian works for Virtual Clarity who consult on enterprise scale virtualisation.