Export (0) Print
Expand All
Expand Minimize
6 out of 10 rated this helpful - Rate this topic

Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)

Updated: August 26, 2009

Applies To: Windows 7

This scenario describes how to configure Windows 7 Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Go be used with removable data drives before data can be written to the drive.

Before you start

To complete the procedure in this scenario:

  • You must be able to provide administrative credentials.

To require BitLocker protection on data drives before permitting data to be saved on them

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Fixed Data Drives.

  4. To require BitLocker protection on fixed data drives before allowing users to save data to them, in the details pane, double-click Deny write access to fixed drives not protected by BitLocker to open the policy setting.

  5. Click Enabled, click Apply to apply the setting, and then close the dialog box.

  6. Restart the computer.

  7. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  8. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  9. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives.

  10. To require the use of BitLocker To Go on removable data drives before allowing users to save data to them, in the details pane, double-click Deny write access to removable drives not protected by BitLocker to open the policy setting.

  11. Click Enabled, click Apply to apply the setting, and then close the dialog box.

    noteNote
    Enabling this policy setting means that you cannot support the use of startup keys, recovery keys, or BitLocker protection of operating system drives without a TPM because these features require an unencrypted removable data drive on which to store the BitLocker key.

  12. Close the Local Group Policy Editor.

  13. If any removable drives are inserted in the computer when this policy setting is enabled, they must be removed and reinserted before this policy setting is applied to them.

By completing this procedure, you have specified Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Go be used with removable data drives before data can be written to the drive. If users attempt to write data to a drive that is not protected by BitLocker, they will be prompted to turn on BitLocker.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.