Why does my Bitlocked External HDD go read-only after I unlock it?
Windows 10, AD-managed environment, WD My Passport external.
We had a new external HDD enter circulation, which per policy has to be bitlocked. This being new, policy is also that it be fully reformatted (which I did as NTFS) and then Bitlocked in Compatible mode (with password).
The individual it was issued to ran into an issue on first use: Couldn't write to it. No files could be saved there, no files could be made there.
After some initial troubleshooting, I decided maybe I'd messed something up. I reformatted it again, made sure all the permissions would allow any office user to write files (and I did test this and made a few files on the drive as my admin user and my regular user to make sure). I then bitlocked it, unlocked it, and wrote another file to it to be sure. I then removed the drive from the machine.
Before I took it to the user in question though, I thought to try it again - attached the drive, successfully unlocked, and for no discernable reason it's write only again. Files cannot be written there at all, even though it is unlocked and NTFS permissions allow for it.
Earlier troubleshooting involved having to decrypt the drive and reformat it to remove that condition; as I recall, Diskpart could select and claim to remove Write Only, but it wouldn't actually do it (drive still wouldn't accept files).
Digging around leads me nowhere; closest I get is someone claiming a GPO that denies non-bitlocked media may be set to deny_write, but that's not only not set but also non-sense in this case.
Has anyone run into this, and how did it get corrected?
Solution 1:
I have figured it out: Turns out the issue is the GPO "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing".
Normally there's a red warning banner up at the top of the Password entry box for the drive decryption. This did not display when I was initially interacting with the drive. It was not until I took it to another machine that had not been involved with bitlocking that I saw it.
To get around this, you can set the drive to auto-unlock, enter the password, dismount / eject the drive in Windows, and then reattach. Seems to work just fine now.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/fb24213a-c7a7-4e4b-803c-6865ae7a91fe/bitlocker-group-policy-requires-that-for-this-drive-to-be-writable-either-autounlock-must-be-set?forum=winserver8gen