Information
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
The recommended state for this setting is: Enabled.
Rationale:
Users may not voluntarily encrypt removable drives prior to saving important data to the drive.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Impact:
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
Default Value:
Disabled. (All removable data drives on the computer will be mounted with read and write access.)
References:
1. CCE-33077-9