This policy setting configures whether the computer will be able to write data to BitLocker-protected removable drives that were configured in another organization. The recommended state for this setting is: Enabled: False (unchecked). Rationale: Restricting write access to BitLocker-protected removable drives that were configured in another organization can hinder legitimate business operations where encrypted data sharing is necessary. Impact: None - this is the default behavior.
To establish the recommended configuration, set the following Device Configuration Policy to Do not allow write access to devices configured in another organization (unchecked): To access the Device Configuration Policy from the Intune Home page: Click Devices Click Configuration profiles Click Create profile Select the platform (Windows 10 and later) Select the profile (Administrative Templates) Click Create Enter a Name Click Next Configure the following Setting Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Removable Data Drives Setting Name: Deny write access to removable drives not protected by BitLocker Configuration: Enabled Select OK Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.) Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy. Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings. Default Value: Enabled: False (unchecked). (Write access will be permitted to BitLocker-protected removable drives that were configured in another organization.)