![]() If the user is out of the office they will need to establishing a VPN connection or enable BitLocker on the device the next time they are in the Office. You may also want to consider ticking the “Omit recovery option form the BitLocker setup wizard†as this will prevent you users from saving the recovery key manually which might be desirable if you don’t trust them to store the key in a safe place.īecause of the “Do not enable BitLocker until recovery information is stored to AD DS for removable data drives†option has been ticked if the user tries to encrypt a new USB storage device when not connected to the corporate network then they will get the following error message (see image 5). Choose how BitLocker-protected removable drives can be recovered This setting ensures the computer has successfully saved recovery key into AD before encrypting a USB storage device. Now Enable the “Choose how BitLocker-protected Removable drives can be recovered†and make sure that the “Save BitLocker recovery information to AD DS for removable data drives†and the “Do not enable BitLocker until recovery information is stored to AD DS for removable data drives†are both ticked (See image 4.). Deny write access to removable drives not protected by BitLocker ![]() This setting is important as it will make any non-BitLocker encrypted devices from being written to in your organisation thus bypassing the whole reason to use BitLocker. When you Enable the “Deny write access to removable drives not protected by BitLocker†also tick the “Do not allow write access to devices configured in another organization†option (see Image 3). Removable Data Drives BitLocker Drive Group Policy Here the two policies you need to enable are “Deny write access to removable drives not protected by BitLocker†and “Choose how BitLocker-protected Removable drives can be recovered†(see Image 2). Edit the group policy that you have applied to all your workstations and navigate to Computer > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Now before I go on I will assume that you are already familiar with Group Policy so all I am going to cover is the key (pardon the pun) policies you need to ensure the recovery keys are backed up to AD DS for all your removable USB storage devices in your organisation. How to configured Group Policy to save the Recovery Key? Installing “BitLocker Drive Encryption Administration Utilities†This is a new tool with 2008 R2/Windows 7 and makes it MUCH easier to read the recovery keys than back in the 2003 R2/Vista days. This computer can then be used to search for and view the recovery keys if you ever need them. You should install the “BitLocker Drive Encryption Administration Utilities†with Windows Server 2008 R2 or with the RSAT tools for Windows 7 (see image 1.) on at least one computer in your organisation. But I hear you say “you said that Group Policy Preferences doesn’t need schema changes to work†well yes… this is still true it is not a group policy requirement it is a BitLocker requirement.Ģ. You Active Directory must be running the Windows Server 2003 R2 scheme extensions. Now before we begin there are a few pre-requisites that we need to cover to make sure this work.ġ. This ensures that for any USB encrypted devices in your organisation that you will always have the ability to unlock the data on the drive even in case that someone forgets the unlock password. Using group policy you can mandate that all encrypted removable device must first have the recover key stored in Active Directory before they start to encrypt. In Part 2 I will show you how to use Group Policy with Active Directory Certificate Services to enable a Data Recovery Agent so that all your devices can be recovery using a single EFS recovery agent account. In Part 1 of this “how to†I am going to show you how to setup the recovery key archiving into Active Directory. ![]() ![]() Well there is where group policy can be your saviour…. Now for a consumer this feature this might be fine as you keep can keep the key in a fire proof safe or even a locked filing cabinet but if you are managing this in a corporate environment you might have to keep track of thousands or even ten’s of thousands of these devices to keep track of the recovery key. One of the problem with this is that if a user were to ever forget the unlock key then they will need to remember where they kept the recovery file or paper print out of the 48 digit recovery key. One of the cool new feature in Windows 7 Ultimate and Enterprise is the ability to encrypt USB devices with a password to protect the data from falling into the wrong hands.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |