Information Technology Reference
In-Depth Information
TABLE 2-5
Removable data drive BitLocker policies
Setting
Default State
Controls use of BitLocker on removable drives
Not configured
Configures use of smart cards on removable data drives
Not configured
Denies write access to removable drives not protected by BitLocker
Not configured
Configures use of hardware-based encryption for removable data drives Not configured
Enforces drive encryption type on removable data drives
Not configured
Allows access to BitLocker-protected removable data drives from earlier
versions of Windows
Not configured
Configures use of passwords for removable data drives
Not configured
Chooses how BitLocker-protected removable drives can be recovered
Not configured
The EFS, which was introduced in Windows 2000, provides a method for users to encrypt
and protect sensitive files and folders. To ensure that encrypted files can be recovered in the
event of emergency, the Administrator account on the first domain controller in the domain is
automatically designated the recovery agent for the domain, allowing this account to access
and recover encrypted files.
In addition to the default data recovery agent for a domain, you can add additional
recovery agents. To add a recovery agent, follow these steps:
1.
Open the GPMC and select the GPO you want to configure. For an EFS recovery agent,
it is usually the Default Domain Policy.
2.
Right-click the policy and select Edit to open the Group Policy Management Editor.
Select Computer Configuration\Policies\Windows Settings\Security Settings\Public Key
Policies\Encrypting File System in the console tree, as shown in Figure 2-33.
