Exclude certain USB Hardware ID from BitLocker To Go Policy?? (Removable Device Control?) RRS feed

  • Question

  • Hi,

    We're currently rolling out Windows 7 and will be implementing BitLocker to Go for all USB storage media - however we also have some other USB flash drives which which already use encryption in conjunction with fingerprint authetication.

    We would like to be able to exlude these devices from being forced to enable BitLocker To Go (especially since these devices are cross platform compatible).

    Is there a way to exclude these already encrypted devices from BitLocker To Go? 

    I've had a look at Removable Device Policies but I can't see a clear way to achieve this..?


    Saturday, July 2, 2011 7:15 AM

All replies

  • Hi,


    Base on my experience, there’s no GPO can achieve this.


    When you want to encrypt hard drives with BitLocker, hard disk drivers or USB storage drives will be listed, you can choose which drive to turn on BitLoker. You need to exclude the encrypted devices manually.


    Thank you for your understanding.



    Leo   Huang



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, July 5, 2011 3:23 AM
  • You can exclude USB devices based on Device IDs from this GPO

    You can restrict or allow devices by Device IDs or Device Setup Classes

    Computer Configuration à Administrative Templates  à System à Device Installation à Prevent Installation of Devices that match any of these device IDs.

    Computer Configuration à Administrative Templates  à System à Device Installation à Prevent Installation of Devices using drivers that match          these device setup classes.

    I hope this helps.

    Manoj Sehgal
    Tuesday, July 5, 2011 3:21 PM
  • Hi Manoj,

    Thanks for your reply,  I'm aware that through Removable Device Control you can allow or prohibit certain device hardware ID's. The issue that we have is we need to find some way of applying the following though policy:

    "All USB devices except those with this <MacAffeeUSBHardwareID> must be forced to use BitLocker To Go encryption"

    I know I can do either in isolation but I'm not sure how I can combine the two together?


    Wednesday, July 6, 2011 10:23 AM
  • Hi kiwidj

    I have exactly the same requirements, did you get a solution to your problem?



    Tuesday, September 13, 2011 4:15 PM
  • Hi Carlos,

    the short answer is no but we ended up changing track slightly.  In the end our requirements changed slightly so now we will prevent removable device access completely for all users through group policy preferences,  BitLocker2Go will also be enforced over the top but will only be effective for those users who have the removable device access restrictions lifted (this is achieved by item level targetting to security groups using GPP).

    By exception only a small group of users that need to use removable devices and cannot use BitLocker to Go (i.e. cross platform) a group policy has been configured to not enforce BitLocker to Go and allow users to write to unencrypted devices.

    It's not the ideal solution unfortunately but it's the best solution we could find.


    • Proposed as answer by D Marsh Wednesday, June 22, 2016 7:43 PM
    Tuesday, September 13, 2011 11:58 PM
  • Many thanks for you fast replay,

    We also did it with a work around, we set in gpo a computer group with BitLocker exclusion and move the excluded computers there,

    so all the machines that are now allowed to write to usb devices, BitLock will do the trick, and the excluded one can manualy encrypt.

    Of course it works but the integration level is not what we expected.

    Wednesday, September 14, 2011 8:22 AM