BitLocker To Go is Microsoft’s removable media encryption solution offered for Windows 8.1. It utilizes the same underlying disk encryption technology as BitLocker does for fixed disks but is designed to address the removable media use case. If the USB key in question is ever lost, it is protected with BitLocker To Go thus keeping the data secure.  Should the key be found by someone other than the owner, the data is still unreadable without the required PIN. This renders the data essentially useless except by an authorized user.
 
There are dozens of configuration options managed through policy objects that can be used to control BitLocker.  Details in regards to these options can be found on TechNet.
 
Most organizations need to understand how they want to implement BitLocker To Go. A good starting point is to consider the following questions:

  • Do you want to enforce the encryption of removable media or leave encryption decisions to the user’s discretion?
     
  • Do you want to prevent the reading of data from removable media not authored within the organization (E.g. read a key from a vendor, or utilize a user’s personal unencrypted key)
     
  • Do you want to prevent writing to unencrypted removable media devices?
     

The decision whether or not to encrypt removable media is usually made by the organization and not left to the discretion of the end user. If the decision is left to the end user, both training and sound judgement will be required. Ultimately there is no way to ensure or measure compliance when the decision is left to the individual user's discretion.
 

 
Typically, an organization will want to ensure compliance. This involves creating a process to centrally encrypt USB keys and have a request/authorization process for users that need to right to keys.  The scenario for USB keys is something like the following:

  1. Users can read from unencrypted USB keys (personal or from partners, vendors, etc.)
     
  2. Users are prevented from writing to unencrypted keys
     
  3. Users who need to write to a USB key go through the request and approval process.
     
  4. The Service Desk encrypts a key and delivers it along with the PIN and use instructions.
     
  5. Users are prompted for a PIN on first use of an encrypted key on a particular machine and can then write to the key
     
  6. If USB key is lost or stolen, it cannot be read except on a machine that has previously read the Key or by entering the PIN (or smartcard)
     

To implement the above scenario the following GPOs can be used as a starting point:

Group Policy

Setting

Allow users to apply BitLocker protection on removable data drives

Disabled

Allow users to suspend and decrypt BitLocker protection on removable data drives

Disabled

Do not allow write access to devices configured in another organization

Disabled

Do not install BitLocker To Go Reader on FAT formatted removable drives

Enabled

Require password for removable data drive

Enabled

Allow Data Recovery Agent

Enabled

Omit recovery options from BitLocker setup wizard

Enabled

Save BitLocker recovery information to AD DS for removable data drives

Enabled

Do not enable BitLocker until recovery information is stored in AD DS for removable data drives

Enabled

Require use of smart cards on removable data drives

Enabled

Be sure to take advantage of the Microsoft Virtual Academy to learn additional aspects of utilizing Windows-To-Go offered in Windows 8.1 to better enable your organization.