18.9.11.3.1 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

The recommended state for this setting is: Enabled.

Rationale:

Users may not voluntarily encrypt removable drives prior to saving important data to the drive.

Impact:

All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Removable Data Drives
Setting Name: Deny write access to removable drives not protected by BitLocker
Configuration: Enabled

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings.

Default Value:

Disabled. (All removable data drives on the computer will be mounted with read and write access.)

See Also

https://workbench.cisecurity.org/files/4161