Information
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
The recommended state for this setting is: Enabled.
Rationale:
Users may not voluntarily encrypt removable drives prior to saving important data to the drive.
Impact:
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Removable Data Drives
Setting Name: Deny write access to removable drives not protected by BitLocker
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings.
Default Value:
Disabled. (All removable data drives on the computer will be mounted with read and write access.)