bitlocker to go and bitlocker on laptop with no TPM (usb unlock key used)

I am trying to create a group policy for bitlocker to go to force encryption of any unencrypted USB sticks plugged in.

We also use Bitlocker to encrypt the hard drive, as our laptops don't have a TPM chip built in we have to use a usb key with the pin code file on to unlock it upon boot.

When I plug in a usb stick that's not encrypted - as expected I get prompted to encrypt the stick,  when I confirm I receive an error to say that it cant be encrypted as I am using a USB bitlocker startup key..

is this true? - the startup is used on the boot up sequence, its not even in windows so wont be able to check the stick encryption? - it should only have to read the key from the stick not write?...


Error message:

'bitlocker encryption policy cannot be applied to this drive because of conflicting group policy settings.  When write access to drives is not protected by Bitlocker is denied, the use of a USB startup key cannot be required.  Please have your system admin resolve the policy conflicts before attempting to enable bitlocker.'


Is there any way around this as we have no TPM chips in our laptops, we would like to stop write access to USB sticks.
Spikeuk30Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
You can disable USB drives with a GPO, granted you can't use them as Read-Only like you can with some BL policies, but you can prevent USB drives altogether
http://support.microsoft.com/kb/555324/en-us

This indicates that you can, but there may be a setting or two you'd have to change
http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
http://technet.microsoft.com/en-us/library/jj679890.aspx list's some conflicts you can have with certain policies, I don't see the error message specifially though.

http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Note that if you apply these policies, iPhone and BlackBerries will not be usable as storage or allow transfers either. They will charge, but not "function" like they did prior.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
As suggested by the error message, solve the policy conflict. The policy you have set is "deny write access to unencrypted drives", right?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.