none
BitLocker to Go - USB exception - is it possible currently within Windows 10? RRS feed

  • Question

  • Hi folks

    I recently posted this question within the Intune forum but have been asked to additionally post here.  So here it is:

    I've got a question that would be great if someone can answer if this is possible or not (without 3rd party solutions e.g. achieve the below on a Windows 10 device natively via Intune)...

    Environment:
    Windows 10 Enteprise device using build 2004 and an E5 license.

    We've set up the policy within Intune via an Endpoint Protection Configuration Profile to handle the encryption for OS drives and removable data-drive etc.  All working well and when a USB device is attached, the identity using the device is prompted to either read or write to the device (write forces BitLocker encryption).  That works well.

    Now, if we have for example, a 3rd party USB storage device that has it's own native encryption and doesn't require BitLocker, would it be possible to set up a Device Restriction Configuration Profile that blocks all USB storage devices but allows this specific USB storage device to connect and access the storage via the DeviceID whitelisting etc. AND bypass the current removable data-drive (USB) BitLocker policy that encrypts everything, if write access is allowed?

    Also, we have a similar scenario to the above but with a device that purely requires read-only access (e.g. Barco ClickShare device) - could we suppress the the BitLocker prompt to encrypt and just automatically allow read-only.  Is this currently too granular a request on Windows 10 without 3rd party tooling?

    https://www.barco.com/en/support/knowledge-base/kb8268

    Is this currently possible between a mix of Endpoint Protection Configuration Profiles, Device Restriction Configuration Profiles and Defender ATP (Admin Templates etc.) or is this level of granularity not possible currently natively within Intune for a Windows 10 device?

    Thanks folks.


    • Edited by RDWUK Wednesday, June 17, 2020 1:21 PM
    Wednesday, June 17, 2020 1:20 PM

Answers

  • Hi.

    Bitlocker and windows-internal policies don't offer this, no.

    What windows allows on a device-instance-ID-Level (targeting single, unique devices), is whether these devices are installable at all, but not how to handle them when it comes to read/write or even encryption.

    It would be advisable to use bitlocked devices anywhere and not use unencrypted devices at all. These devices can be set to auto-unlock when used by certain users or on certain devices, so this would mean no additional hassle with passwords when done right.


    Thursday, June 18, 2020 6:28 AM

All replies

  • Check this official Doc for information

    How to control USB devices and other removable media using Microsoft Defender ATP

    In fact, for complex scenario, I advise open a support ticket with Microsoft. There are best resources can help you.

    https://support.microsoft.com/en-gb/hub/4343728/support-for-business

    On forum platform, we can do limited for you, thank you for understanding and cooperating.

    Regards


    "Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
    We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
    For more information, please refer to the sticky post.

    Thursday, June 18, 2020 2:31 AM
    Moderator
  • Hi.

    Bitlocker and windows-internal policies don't offer this, no.

    What windows allows on a device-instance-ID-Level (targeting single, unique devices), is whether these devices are installable at all, but not how to handle them when it comes to read/write or even encryption.

    It would be advisable to use bitlocked devices anywhere and not use unencrypted devices at all. These devices can be set to auto-unlock when used by certain users or on certain devices, so this would mean no additional hassle with passwords when done right.


    Thursday, June 18, 2020 6:28 AM
  • Sorry for the delay replying Ronald but your response is how I thought it might be.  We do currently use BitLocker and BitLocker To Go (enforced) via an Intune Configuration Profile.  I appreciate the feedback. 
    Monday, June 29, 2020 11:23 PM
  • Thanks for the feedback Teemo.  I'd already checked that article but as Ronald indicated below, you cannot get the flexibility/granularity in respect of encryption for specific devices. 

    Thanks anyway.
    Monday, June 29, 2020 11:26 PM