A. Windows 7 includes the BitLocker To Go functionality, which allows removable devices to be encrypted. Many organizations mandate the use of BitLocker on laptops to protect the content in case the laptop is stolen. Removable devices can be an even bigger risk, with users copying large amounts of data to small devices. If these devices are lost, they can pose a huge risk.
You can now use a Group Policy that restricts a user from writing to a USB device unless the device is encrypted with BitLocker To Go.
- Open the Group Policy Management Editor and edit a Group Policy Object that's linked to an organizational unit or domain that contains the Windows clients.
- Navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Removable Data Drives.
- Double-click Deny write access to removable drives not protected by BitLocker
- Set this policy to Enabled. You can also configure whether users can write to devices that aren't from the local organization.
Click to expand.
- Click OK.
- Close the Group Policy Management Editor.
This updates the registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess.Related Reading:
- Q. If I protect a USB drive with BitLocker and configure it to autounlock on a computer, does it autounlock only for my user or for all users of the computer?
- Protecting Exchange Server Data at Rest
- Q: What types of disk configurations does BitLocker Drive Encryption (BDE) support?
- Q. If I unlock a BitLocker protected USB device, is it only unprotected for the current user?
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.