I am trying to create a group policy for bitlocker to go to force encryption of any unencrypted USB sticks plugged in.
We also use Bitlocker to encrypt the hard drive, as our laptops don't have a TPM chip built in we have to use a usb key with the pin code file on to unlock it upon boot.
When I plug in a usb stick that's not encrypted - as expected I get prompted to encrypt the stick, when I confirm I receive an error to say that it cant be encrypted as I am using a USB bitlocker startup key..
is this true? - the startup is used on the boot up sequence, its not even in windows so wont be able to check the stick encryption? - it should only have to read the key from the stick not write?...
'bitlocker encryption policy cannot be applied to this drive because of conflicting group policy settings. When write access to drives is not protected by Bitlocker is denied, the use of a USB startup key cannot be required. Please have your system admin resolve the policy conflicts before attempting to enable bitlocker.'
Is there any way around this as we have no TPM chips in our laptops, we would like to stop write access to USB sticks.