Exclude certain USB Hardware ID from BitLocker To Go Policy?? (Removable Device Control?)
Hi, We're currently rolling out Windows 7 and will be implementing BitLocker to Go for all USB storage media - however we also have some other USB flash drives which which already use encryption in conjunction with fingerprint authetication. We would like to be able to exlude these devices from being forced to enable BitLocker To Go (especially since these devices are cross platform compatible). Is there a way to exclude these already encrypted devices from BitLocker To Go? I've had a look at Removable Device Policies but I can't see a clear way to achieve this..?
July 2nd, 2011 10:15am

Hi, Base on my experience, there’s no GPO can achieve this. When you want to encrypt hard drives with BitLocker, hard disk drivers or USB storage drives will be listed, you can choose which drive to turn on BitLoker. You need to exclude the encrypted devices manually. Thank you for your understanding. Regards, Leo Huang Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2011 6:23am

You can exclude USB devices based on Device IDs from this GPO You can restrict or allow devices by Device IDs or Device Setup Classes Computer Configuration à Administrative Templates à System à Device Installation à Prevent Installation of Devices that match any of these device IDs. Computer Configuration à Administrative Templates à System à Device Installation à Prevent Installation of Devices using drivers that match these device setup classes. I hope this helps. Manoj Sehgal
July 5th, 2011 6:21pm

Hi Manoj, Thanks for your reply, I'm aware that through Removable Device Control you can allow or prohibit certain device hardware ID's. The issue that we have is we need to find some way of applying the following though policy: "All USB devices except those with this <MacAffeeUSBHardwareID> must be forced to use BitLocker To Go encryption" I know I can do either in isolation but I'm not sure how I can combine the two together?
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 1:23pm

Hi kiwidj I have exactly the same requirements, did you get a solution to your problem? Regards Carlos
September 13th, 2011 12:16pm

Hi Carlos, the short answer is no but we ended up changing track slightly. In the end our requirements changed slightly so now we will prevent removable device access completely for all users through group policy preferences, BitLocker2Go will also be enforced over the top but will only be effective for those users who have the removable device access restrictions lifted (this is achieved by item level targetting to security groups using GPP). By exception only a small group of users that need to use removable devices and cannot use BitLocker to Go (i.e. cross platform) a group policy has been configured to not enforce BitLocker to Go and allow users to write to unencrypted devices. It's not the ideal solution unfortunately but it's the best solution we could find.
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2011 7:58pm

Many thanks for you fast replay, We also did it with a work around, we set in gpo a computer group with BitLocker exclusion and move the excluded computers there, so all the machines that are now allowed to write to usb devices, BitLock will do the trick, and the excluded one can manualy encrypt. Of course it works but the integration level is not what we expected.
September 14th, 2011 4:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics