Sample configuration for BitLocker To Go encryption

To encrypt or unlock removable storage devices (USB storage devices) with BitLocker To Go, follow these instructions in the order given.

For more information on the individual steps, see the cross-references.

  1. Create a policy (or open an existing one) that contains the settings related to BitLocker To Go.

    Verify that you have licensed BitLocker Management in this policy and that the option is selected in the Licensed Computers section.

  2. Go to the Encryption node in the policy and click the Settings sub-node. At first you define the encryption method.

    If you do not select anything here, Encryption 2 Go is the default encryption method.

  3. Select Available encryption methods.
  4. In the dialog box, select Set to value and check the Drive encryption on removable data drives (BitLocker To Go) option. Save your settings and close the dialog.
  5. Open the Drives node. Keep the default value Not configured (locked) in the Removable drive locking settings for USB bus connected drives.

  6. Open the context menu from the Drive whitelist rules sub-node, see the figure below. Select Drive rule....

  7. Create a drive rule for the corresponding USB drive. To see how this works, click here.
  8. Next, open the Encryption node again and then the BitLocker Managementsub-node. Here you go directly to BitLocker To Go and select the Encrypted drive recovery option.

  9. Here we have already created two standard rules that cannot be deleted.

    • First, open the Administrative password rule. Specify a complex administrative password.
    • Second, open the rule for certificate-based recovery. You will need to specify a certificate, as this is required for recovery. Either create a new certificate or select an existing one. Save your settings and close the dialog.

  10. Next, open the context menu of the Enforce encryption option, click New, and then click Enforced encryption rule.

    In the following dialog, enter a description on the General tab (the first rule already has the description Default settings for enforced encryption in this text field).

    On the Settings tab, accept the default settings: Prompt user for encryption password and select the option Attempt to mount using administrative password.

    This setting ensures that DriveLock can access the administrative password in the background.

  11. Last, assign your policy to all or to specific DriveLock Agents.