Scenario 5: Requiring BitLocker Protection on Data Drives (Windows 7)

Applies To: Windows 7

This scenario describes how to configure Windows 7 Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Go be used with removable data drives before data can be written to the drive.

Before you start

To complete the procedure in this scenario:

  • You must be able to provide administrative credentials.

To require BitLocker protection on data drives before permitting data to be saved on them

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Fixed Data Drives.

  4. To require BitLocker protection on fixed data drives before allowing users to save data to them, in the details pane, double-click Deny write access to fixed drives not protected by BitLocker to open the policy setting.

  5. Click Enabled, click Apply to apply the setting, and then close the dialog box.

  6. Restart the computer.

  7. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  8. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  9. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives.

  10. To require the use of BitLocker To Go on removable data drives before allowing users to save data to them, in the details pane, double-click Deny write access to removable drives not protected by BitLocker to open the policy setting.

  11. Click Enabled, click Apply to apply the setting, and then close the dialog box.

Note

Enabling this policy setting means that you cannot support the use of startup keys, recovery keys, or BitLocker protection of operating system drives without a TPM because these features require an unencrypted removable data drive on which to store the BitLocker key.

  1. Close the Local Group Policy Editor.

  2. If any removable drives are inserted in the computer when this policy setting is enabled, they must be removed and reinserted before this policy setting is applied to them.

By completing this procedure, you have specified Group Policy settings to require that fixed data drives be BitLocker-protected and that BitLocker To Go be used with removable data drives before data can be written to the drive. If users attempt to write data to a drive that is not protected by BitLocker, they will be prompted to turn on BitLocker.