Configure removable devices
Removable devices such as USB flash drives and Secure Digital High-Capacity (SDHC) memory cards are common and can offer portability benefits but also pose a potential threat to data security and loss. In this section, you learn how to prepare removable devices for use, protect the data if the drive is lost or stolen, and restrict access to portable drives.
Format removable devices
You can format removable devices in the same way as you can configure hard drives. All drives without a file format, or that have one that Windows 10 doesn't understand, are considered RAW. To use the drive, first format the drive. If you insert an unformatted drive in your USB port, Windows prompts you to format the drive. Depending on the size of your drive, you can format the drive using the FAT, FAT32 (default), NTFS, or exFat file format, using the format wizard. Be mindful when formatting a USB drive because, when you perform a quick format, the drive is not checked for errors. Although this is quicker, the system won't mark bad sectors on the drive, and this can lead to data integrity problems later on.
For drives larger than 32 GB, the exFat is a good general-purpose format; it handles files larger than 4 GB and optimizes the drive space well. For smaller drives, the FAT32 is best because it is compatible with virtually all operating systems and is fast.
You should format using NTFS if you are seeking advanced functionality such as file compression, permissions on individual files and folders, and file encryption using EFS.
Note: RAW
A drive listed with RAW as the file system type can still contain data. If the drive has been formatted with a file format Windows 10 doesn't use, the operating system automatically assigns the RAW file system driver to the volume and displays a dialog box for you to format the drive. Label thumb drives, especially when they are used with various devices.
Secure removable devices
Data stored on USB flash drives is inherently insecure and should be protected. This can be achieved by using NTFS permissions, encrypted using EFS, or by using BitLocker encryption. The most appropriate of these methods in an enterprise scenario is likely to be using BitLocker To Go because users understand it easily, and you can manage and configure the feature by using Group Policy.
BitLocker To Go is not designed to replace EFS or NTFS permissions; it adds an additional layer of security and protection on removable drives, including SDHC cards, USB flash drives, and external hard disk drives. BitLocker To Go is available in the Pro, Enterprise, and Education editions of Windows 10 only.
When encrypting removable media with BitLocker To Go, you have two options.
- Encrypt used disk space only Encrypts only the part of the drive that currently has data stored on it. This is quicker and appropriate in most cases.
- Encrypt entire drive Encrypts the full volume, including areas that contain no data, which takes longer to complete.
Note: BitLocker To Go requirements
To encrypt a removable drive by using BitLocker To Go, the drive must be formatted with NTFS, Fat16, FAT32, or exFat file system and have at least 64 MB of available space. BitLocker To Go does not require use of a Trusted Platform Module (TPM) chip.
To enable BitLocker Drive Encryption on a removable drive, perform the following steps.
- Insert a USB drive into your computer.
- Open File Explorer and right-click the USB drive in the left pane.
- Select Turn On BitLocker from the context menu.
The Starting BitLocker Wizard appears and initializes the drive. - On the Choose How You Want To Unlock This Drive page, choose Use A Password To Unlock The Drive.
- In the Enter Your Password and Reenter Your Password boxes, type a password and click Next.
- On the How Do You Want To Back Up Your Recovery Key page, click Save To A File.
- In the Save BitLocker Recovery Key As dialog box, select This PC\Documents.
- In the Save BitLocker Recovery Key As dialog box, click Save and then click Next.
- On the Choose How Much Of Your Drive To Encrypt page, click Encrypt Used Disk Space Only (Faster And Best For New PCs And Drives) and then click Next.
- On the Choose Which Encryption Mode To Use page, click Compatible Mode (best for drives that can be moved from this device) and click Next.
- In the Are You Ready To Encrypt This Drive page, click Start Encrypting.
During the encryption process, the BitLocker Drive Encryption Wizard shows the encryption progress on the taskbar. The process can take some time to complete and can be paused at any time by clicking the Pause button on the BitLocker Drive Encryption dialog box.
When the encryption has completed, BitLocker is fully enabled on the removable drive. If you eject the USB drive and then insert the drive back into your PC or another computer, Windows 10 prompts you to enter the password to unlock the drive.
Restrict access to removable devices
The abundance and increasing capacity of USB flash drives enables users to store huge quantities of data and travel around with it. The drives are small and extremely portable and can easily be lost. It is essential for organizations to restrict access to removable drives for several reasons, including:
- Risk of data loss or theft.
- Spread of malware.
- Document version control.
Risk of data loss/theft
With technologies such as BitLocker To Go, it is possible to ensure that all data stored on removable drives is encrypted, which helps prevent against data theft by an external user accessing the data contained on the removable drive. Because of their size and low value, removable drives are lost on a regular basis both inside the office or home and off premises. If an unauthorized person finds the drive and can access sensitive data, they could publish, sell, or use it illegally. It is therefore advantageous (and in some instances a legal requirement) for data to be inaccessible to unauthorized users.
You can configure Group Policy to help prevent users from saving or copying data to any removable drives that are not encrypted by BitLocker. There are three policy settings located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives, and they are described in Table below. These settings are useful when you need to enforce the use of BitLocker encryption on USB storage devices.
Group Policy Setting Policy description Deny Write Access to Removeable You can configure whether BitLocker Drive not Protected by BitLocker protection is require for a computer to write data to removable data drive. Control use of BitLocker on Control the use of BitLocker on Removeable Drives removable data drives, including whether users can apply BitLocker protection to their removable drives. Enforce Drive Encryption Type on With this policy setting, you can Removeable Data Drives configure the encryption type that BitLocker uses on removable drives, either full encryption or used-space-only encryption.