Hello, I would like to be able to setup a policy to open up an encrypted removable drive ONLY if it has been encrypted by BitLocker and there is some form of secret certificate or identifier tied to that encrypted drive that matches a policy in Windows. I don't want to use external software solution, I want to know if Windows 7 can do this. My process if possible would be, while encrypting with BitLocker tie a certificate or identifier to that drive. Then if that drive is inserted into my computer, the only way the drive becomes accessible is if that Windows policy sees that the drive is encrypted and the identifier on the computer matches the one on the removable drive. I have been working with Windows Policy Editor and BitLocker, but have not figured out if this is possible yet. Any info would be greatly appreciated. Thanks

So Bitlocker on removable drives is otherwise known as BitLocker To Go...and it requires a password to unlock the drive. It does not have a recovery key or certificate stored anywhere that is controlled with policy. You can however control whether or not to use a removable drive depending on whether it has BitLocker or not. So you can prevent users from using Removable drives that are not BitLocker'd and allow them to use those that are. You can find the complete BitLocker GPO Reference Here: http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx#BKMK_unlockpol8 You won't be able to tie BitLocker To Go to a specific computer. IE I encrypt on computer A and take the thumbdrive to computer B and it won't decrypt...the only thing that decrypts the drive is a password. Now you can prevent BitLocker'ed removable drives from working on your corporation's computers if they do not have a unique organizational identifier...as mentioned in the policy but I've never set this setting before. Hope this helps >>>GPO REFERENCE Deny write access to removable drives not protected by BitLocker This policy setting is used to require encryption of removable drives prior to granting write access and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with write access. Drive type Removable data drives Policy path Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives Description This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the Deny write access to devices configured in another organization option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for a valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the Removable Disks: Deny write access policy setting is enabled, this policy setting will be ignored. Conflicts Use of BitLocker without a compatible TPM, TPM + startup key, or TPM + PIN + startup key must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. You must enable the Provide the unique identifiers for your organization policy setting if you want to deny write access to drives configured in another organization. Control use of BitLocker on removable drives This policy setting is used to prevent standard user account from being able to turn BitLocker on or off on removable data drives. Drive type Removable data drives Policy path Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives Description This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled, you can select property settings that control how users can configure BitLocker. Choose Allow users to apply BitLocker protection on removable data drives to permit the user to run the BitLocker setup wizard on a removable data drive. Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker Drive Encryption from the drive or suspend the encryption while maintenance is performed. If you do not configure this policy setting, users can use BitLocker on removable disk drives. If you disable this policy setting, users cannot use BitLocker on removable disk drives. Conflicts None John Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering