This tutorial will show you how to configure group policy to force USB encryption on removable devices on Windows 2012 server using Bitlocker.

This will help your computer environment achieve a higher security level.

The domain controller is running Windows 2012 R2.

The domain computers are running Windows 10 enterprise.

The domain computers are running Windows 7 enterprise.

Hardware List:

The following section presents the list of equipment used to create this Windows tutorial.

Every piece of hardware listed above can be found at Amazon website.

Windows Playlist:

On this page, we offer quick access to a list of videos related to Windows.

Don't forget to subscribe to our youtube channel named FKIT.

Tutorial - Creating the GPO to Force USB Drive Encryption

The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.

Click on the Start menu, locate and open the Group Policy Management tool.

Windows 2012 - Group Policy Management

On the Group Policy Management screen, locate the folder named Group Policy Objects.

Right-click the Group Policy Objects folder and select the New option.

Windows 2012 - Group Policy Objects

Enter a name for your new policy.

Windows 2012 - GPO Force USB Encryption

In our example, the new GPO was named: FORCE USB ENCRYPTION.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

windows 2012 - bitlocker gpo configuration

On the group policy editor screen, you will be presented to User configurations and Computer configurations.

We will change only the Computer configurations.

We don't need to change any User configuration.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Removable data drives.

windows 2012 - bitlocker gpo configuration folder

On the right, the list of available configuration options will be presented.

windows 2012 - bitlocker removable devices

First, let's disable the write access to unencrypted USB Storage devices.

Double click the configuration item named:  Deny write access to removable drives not protected by Bitlocker.

On the configuration item screen, you need to select the Enable option.

GPO Enable Bitlocker USB drive

If you also want to enable the use of Bitlocker on earlier versions of Windows.

Double click the configuration item named Allow Access to BitLocker Protected Removable Drives From Earlier Versions of Windows

On the configuration item screen, you need to select the Enable option.

To finish the group policy creation you need to close the Group policy editor window.

Only when you close the group policy window, the system will save your configuration.

Tutorial - Applying the GPO to Force USB Drive Encryption

You have finished the creation of the network restriction GPO.

But, you still need to enable the use of your new Group Policy.

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

Windows-2012-Applocker application

In our example, we are going to link the group policy named FORCE USB ENCRYPTION to the root of our domain named TECH.LOCAL.

Windows force USB Encryption

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers that you might have.

After waiting 20 minutes, you should reboot a user's computer.

During the boot, the computer will get and apply a copy of the new group policy.

To test the configuration, you need to connect a USB storage drive to the computer and try to save a file.

Your computer should automatically deny the write access to Unencrypted USB storage device.

Your computer should automatically offer to encrypt the USB storage device using Bitlocker.

Bitlocker Windows

After encrypting the USB storage device, you will be able to write data to the device.