Bitlocker and USB questions

Jeffrey Tucker 341 Reputation points

Hello All, I have Bitlocker deployed on fixed drives without any issues. However I am challenged by the USB drives policy. One is when USB drive is encrypted, the recovery key does not seem to get saved in AD. Possibly I am missing something and cannot find where it is stored. Other drives recovery keys get saved to the computer object. I even was able to procure some Apricorn hardware encrypted drives for testing. I was hoping to allow only these drives and disallowing all others. Is this possible? If I am able to get the recovery keys saved to AD, I would be able to use and sort of drive. Essentially use our drive or nothing would work too. Any advice? Thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,140 questions
No comments
{count} votes

Accepted answer
  1. Teemo Tang 11,021 Reputation points

    Besides you current GPO settings:
    Navigate to:
    Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.
    Find the policy Choose how BitLocker-protected removable drives can be recovered.
    Enable the policy and check the options Save BitLocker recovery information to Active Directory Domain Services, and Do not enable BitLocker until recovery information is stored to AD DS for removable data drives.
    Update Group Policy settings with gpupdate /force

    About your concern:
    allow only Apricorn hardware encrypted drives and disallowing all others
    Unfortunately, We can’t achieve it only use Windows built-in configurations or features. I ever used Symantec for allowing specific USB device and blocking all other USB devices, which can recognize USB device by their hardware ID.


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

1 additional answer

Sort by: Most helpful
  1. Jeffrey Tucker 341 Reputation points

    @Teemo Tang - Thanks for the reply. I marked this as answer. I had the settings you recommended already in place and did not know whey it did not work before. This is why I posted the question here. This morning I applied the GPO to my test computer OU. Then I inserted a fresh USB drive and was prompted to encrypt. When the process was finished, I took a look at the parent computer object. Low and behold there was a key for recovery. Anyway thanks.