none
Apply BitLocker Group Policy settings per User Group

    Question

  • Looking to switch to BitLocker for Removable Media Encryption from another solution.  I know BitLocker policies are Computer based.  But we're looking to specifically configure the Removable Data Drives policies based off of AD user groups.  For example, regardless of what computer someone logs into, if a user is in an AD group allowing them to write to removable media then we want that allowed.  If a user can only write to BitLocker encrypted removable media, then we want to enforce that.  Is that possible to configure?

    Thank you

    Thursday, January 28, 2016 9:09 PM

Answers

  • If I get you right, you'd like some users to be free to say "no, I don't want to encrypt this usb drive" while you would like to enforce the use of only encrypted usb drives for others. Right?

    What you could configure per-user is adding a SID protector. So for some users, you'd configure that their usb drives  auto-unlock whenever they logon. That would enable them to use all the usb drives as if those were unencrypted on any domain-joined machine. Outside the domain however, they have to enter a password.

    Thursday, January 28, 2016 9:33 PM

All replies

  • If I get you right, you'd like some users to be free to say "no, I don't want to encrypt this usb drive" while you would like to enforce the use of only encrypted usb drives for others. Right?

    What you could configure per-user is adding a SID protector. So for some users, you'd configure that their usb drives  auto-unlock whenever they logon. That would enable them to use all the usb drives as if those were unencrypted on any domain-joined machine. Outside the domain however, they have to enter a password.

    Thursday, January 28, 2016 9:33 PM
  • Hi,
    I am checking if you issue is solved or not. Is the reply helpful to you?
    If you have any questions, please let us know.
    Appreciate your update.
    Best regards,

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 02, 2016 6:17 AM
    Moderator
  • Hi,
    Thanks for posting in Microsoft TechNet forums.
    As no further update regarding this issue for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You could also choose to unmark the answer as you wish.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 05, 2016 7:29 AM
    Moderator