This tutorial will show you how to configure group policy to force USB encryption on removable devices on Windows 2012 server using Bitlocker.
This will help your computer environment achieve a higher security level.
The domain controller is running Windows 2012 R2.
The domain computers are running Windows 10 enterprise.
The domain computers are running Windows 7 enterprise.
Hardware List:
The following section presents the list of equipment used to create this Windows tutorial.
Every piece of hardware listed above can be found at Amazon website.
Windows Playlist:
On this page, we offer quick access to a list of videos related to Windows.
Don’t forget to subscribe to our youtube channel named FKIT.
Windows Related Tutorial:
On this page, we offer quick access to a list of tutorials related to Windows.
Tutorial – Creating the GPO to Force USB Drive Encryption
The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.
Click on the Start menu, locate and open the Group Policy Management tool.
On the Group Policy Management screen, locate the folder named Group Policy Objects.
Right-click the Group Policy Objects folder and select the New option.
Enter a name for your new policy.
In our example, the new GPO was named: FORCE USB ENCRYPTION.
On the Group Policy Management screen, expand the folder named Group Policy Objects.
Right-click your new Group Policy Object and select the Edit option.
On the group policy editor screen, you will be presented to User configurations and Computer configurations.
We will change only the Computer configurations.
We don’t need to change any User configuration.
On the group policy editor screen, expand the Computer configuration folder and locate the following item.
Access the folder named Removable data drives.
On the right, the list of available configuration options will be presented.
First, let’s disable the write access to unencrypted USB Storage devices.
Double click the configuration item named: Deny write access to removable drives not protected by Bitlocker.
On the configuration item screen, you need to select the Enable option.
If you also want to enable the use of Bitlocker on earlier versions of Windows.
Double click the configuration item named Allow Access to BitLocker Protected Removable Drives From Earlier Versions of Windows
On the configuration item screen, you need to select the Enable option.
To finish the group policy creation you need to close the Group policy editor window.
Only when you close the group policy window, the system will save your configuration.
Tutorial – Applying the GPO to Force USB Drive Encryption
You have finished the creation of the network restriction GPO.
But, you still need to enable the use of your new Group Policy.
On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.
In our example, we are going to link the group policy named FORCE USB ENCRYPTION to the root of our domain named TECH.LOCAL.
After applying the GPO you need to wait for 10 or 20 minutes.
During this time the GPO will be replicated to other domain controllers that you might have.
After waiting 20 minutes, you should reboot a user’s computer.
During the boot, the computer will get and apply a copy of the new group policy.
To test the configuration, you need to connect a USB storage drive to the computer and try to save a file.
Your computer should automatically deny the write access to Unencrypted USB storage device.
Your computer should automatically offer to encrypt the USB storage device using Bitlocker.
After encrypting the USB storage device, you will be able to write data to the device.
