Information
This policy setting specifies whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.
Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the 'Require use of smart cards on removable data drives' check box.
Note: This setting is enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
The recommended state for this setting is: Enabled.
Rationale:
A drive can be compromised by guessing or finding the authentication information used to access the drive. For example, a password could be guessed, or a drive set to automatically unlock could be lost or stolen with the computer it automatically unlocks with.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of smart cards on removable data drives
Impact:
None - this is the default configuration.
Default Value:
Enabled. (Users are allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.)