BitLocker and Canon USB Scanners

29 Jan

I have a BitLocker GPO set domain-wide to force encryption on USB removable devices, for obvious reasons. This all works well although the admin of the configuration is somewhat limited.

Recently we had a need for some portable scanners for a specific project. I ended up getting 4 Canon ImageFORMULA P-208II scanners and what should have plug and play turned into a bit of a nightmare. The scanner presents itself as a removable drive but throws an error when you try to use it.

CaptureOnTouch Lite
An error has occurred while communicating with the scanner.
Close the application and reconnect the scanner.

I discovered that with the BitLocker GPO for removable drives GPO disabled things would work as expected, but the GPO is enforced domain wide and there is no way of adding a guid exception for example (Please add to the UserVoice thread on this and hopefully Microsoft will take note, although that has been open for quite some time now)

With the MBAM policy templates added I could add a group of users who were exempt (not ideal of course, but the only way I can find so far to get the scanner working). Anyone who needs a scanner will need to be added to this group and then made aware that they still must encrypt their USB devices as they will no longer be forced by policy.

The exemption group though only makes the user exempt for encrypting fixed drives, not removable drives, for that there are a couple of registry tweaks applied by the user-specific GPO.

GPO User Configuration
RDVDenyWriteAccess DWORD 0
FDVDenyWriteAccess, DWORD 0