How to Prevent Users From Using Un-Encrypted External Drives via Group Policy

Preventing users from disabling BitLocker on external drives will allow you to secure how users are removing data from their corporate device. At the same time you can prevent users from being able to use unencrypted external drives all together.

Prevent users from writing data to removable drives

The first step is to prevent users from being able to write data from their corporate device to a non-BitLockered portable drive.

  1. Open up Group Policy, create a new policy that is applied to the OU your protected computers are a member of, name it something meaningful such as ‘Removable drive protection policy’
  2. Navigate to the following policy location Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drive
  3. Select the policy Deny write access to removable drives not protected by BitLocker and select enable
      1. By doing this all removable data drives that are not BitLockers will be mounted as read-only

Once this policy is in place you have protected your environment from the risk of data being transported on un-encrypted devices.

Allow users to setup BitLocker on their own portable drive

Depending on your internal procedures it may be important to allow users to BitLocker their own devices. Not only will they then be responsible for managing their own drive, it will remove a lot of burden on the IT department. Ensure you have a well documented password policy for users who are likely to store their BitLocker password un an unsecure location.

  1. Navigate to the following policy location Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drive
  2. Select the policy Control use of BitLocker on removeable drives
  3. Select the check box next to Allow users to apply BitLocker protection on removeable data drives

And it is as simple as that, once these policies are in place users will be able to encrypt their own portable drive and be prevented from copy data to is prior to that.