Forcing BitLocker for USB Devices in a Domain

25 Aug

I recently had a security concern where a lot of users were happily using USB memory sticks to copy all sorts of data (personal and corporate) and would also happily leave these lying around the office or in unattended bags etc.

As an immediate fix to this we decided to enforce BitLocker for all removable devices to at least protect the data on these USB memory sticks.

There is an excellent guide here that I used as a start.

I configured the following settings via Group Policy:

  • Configure use of smart cards on removable data drives:¬†Enabled
    • Allow user to apply BitLocker protection on removable data drives: Ticked
    • Allow users to suspend and decrypt BitLocker protection on removable data drives: Ticked
  • Configure use of smart cards on removable data drives: Disabled
  • Deny write access to removable drives not protected by BitLocker: Enabled
    • Do Not allow write access to devices configured in another organization: Unticked
  • Configure use of hardware-based encryption for removable data drives: Not Configured
  • Enforce drive encryption type on removable data drives: Enabled
    • Select the encryption type: Used Space Only Encryption
  • Allow access to BitLocker-protected removable data drives from earlier versions of Windows: Not Configured
  • Configure use of passwords for removable data drives: Enabled
    • Require password for removable data drive: Ticked
    • Configure password complexity for removable data drives: Require password complexity
    • Minimum password length for removable data drive: 8
  • Choose how BitLocker-protected removable drives can be recovered: Enabled
    • Allow recovery agent: Ticked
    • Configure user storage: Require 48-digit password & Do not allow 256-bit recovery key
    • Omit recovery options: Ticked
    • Save BitLocker Recovery Information: Ticked
    • Configure storage of BitLocker recovery: Backup recovery passwords only
    • Do not enable BitLocker until: Ticked

bitlocker-gpo

I had a concern over SD cards from cameras as they could not be encrypted, but this is fine as users can read from the none encrypted memory cards, they just can’t transfer any data to them.

On a DC, you will need to add the BitLocker Recovery Password Viewer feature:

features

Recovery is also very simple. If a user forgets their password (which they will), simply insert the USB stick and select ‘More Options’. you will then see an option to ‘Enter the Recovery Key’ and it will show the Key ID.

bitlockerrecovery

bitlockerkey

You can then go into AD and find this recovery key easily using the ID provided above:

bitlockerAD

References: