This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Hello All, I have Bitlocker deployed on fixed drives without any issues. However I am challenged by the USB drives policy. One is when USB drive is encrypted, the recovery key does not seem to get saved in AD. Possibly I am missing something and cannot find where it is stored. Other drives recovery keys get saved to the computer object. I even was able to procure some Apricorn hardware encrypted drives for testing. I was hoping to allow only these drives and disallowing all others. Is this possible? If I am able to get the recovery keys saved to AD, I would be able to use and sort of drive. Essentially use our drive or nothing would work too. Any advice? Thank you.
Besides you current GPO settings:
Navigate to:
Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.
Find the policy Choose how BitLocker-protected removable drives can be recovered.
Enable the policy and check the options Save BitLocker recovery information to Active Directory Domain Services, and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives.
Update Group Policy settings with gpupdate /force
About your concern:
allow only Apricorn hardware encrypted drives and disallowing all others
Unfortunately, We can’t achieve it only use Windows built-in configurations or features. I ever used Symantec for allowing specific USB device and blocking all other USB devices, which can recognize USB device by their hardware ID.
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Teemo Tang - Thanks for the reply. I marked this as answer. I had the settings you recommended already in place and did not know whey it did not work before. This is why I posted the question here. This morning I applied the GPO to my test computer OU. Then I inserted a fresh USB drive and was prompted to encrypt. When the process was finished, I took a look at the parent computer object. Low and behold there was a key for recovery. Anyway thanks.
You are welcome.