Blog
How to Prevent Users From Using Un-Encrypted External Drives via Group Policy
Preventing users from disabling BitLocker on external drives will allow you to secure how users are removing data from their corporate device. At the same time you can prevent users from being able to use unencrypted external drives all together.
Prevent users from writing data to removable drives
The first step is to prevent users from being able to write data from their corporate device to a non-BitLockered portable drive.
- Open up Group Policy, create a new policy that is applied to the OU your protected computers are a member of, name it something meaningful such as ‘Removable drive protection policy’
- Navigate to the following policy location Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drive
- Select the policy Deny write access to removable drives not protected by BitLocker and select enable
- By doing this all removable data drives that are not BitLockers will be mounted as read-only
Once this policy is in place you have protected your environment from the risk of data being transported on un-encrypted devices.
Allow users to setup BitLocker on their own portable drive
Depending on your internal procedures it may be important to allow users to BitLocker their own devices. Not only will they then be responsible for managing their own drive, it will remove a lot of burden on the IT department. Ensure you have a well documented password policy for users who are likely to store their BitLocker password un an unsecure location.
- Navigate to the following policy location Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drive
- Select the policy Control use of BitLocker on removeable drives
- Select the check box next to Allow users to apply BitLocker protection on removeable data drives