Domain Group Policies fail to apply on DeviceLock controlled computers
DESCRIPTIONChanges in Administrative Templates on a Domain Group Policy are failing to apply on client machines with DeviceLock installed.
COMMENTSSuch issue may indicate that DeviceLock Service on clients is running with Windows BitLocker To Go integration enabled.
If integration with Windows BitLocker To Go is enabled, the "Deny write access to removable drives not protected by BitLocker" policy setting (located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives) is set to DISABLED.
With BitLocker integration enabled DeviceLock Agent keeps this option from any changes on local computer, thus any group policy which has the conflicting value for this option will not be applied on the computer.
RECOMMENDATIONSPlease make sure to explicitly DISABLE "Windows BitLocker To Go" integration under DeviceLock Service Options-> Encryption-> section in the existing DeviceLock group policy, or in DeviceLock Service Settings file if group policies are not used.
"Not Configured" setting in the policy means that DeviceLock Service will use the default value for unconfigured option which is "Enabled" for Integration flag on all supported encryption products.