Hi,
I would like to encrypted any USB Device which are attached to our domain, if they are not bitlocker or hardware encrypted then we dont want user to copy or read any data.
I have follow this document to create a policy but its not working.
https://www.tenforums.com/tutorials/96998-deny-write-access-removable-drives-not-protected-bitlocker.html#option1
Then I found this article which say that if you
- Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the Deny write access to removable drives not protected by BitLockerpolicy setting is enabled.
- Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.
- You must enable the Provide the unique identifiers for your organization policy setting if you want to deny Write access to drives that were configured in another organization
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-driveaccess2
I have another gpo configure to bitlocker laptops only with TPM enable which is i think conflicting with this policy
Can someone please point to right direction how I can leave bitlocker for laptops and also encrypt usb