18.10.9.3.2 Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'

Information

This policy setting configures whether the computer will be able to write data to BitLocker-protected removable drives that were configured in another organization.

The recommended state for this setting is: Enabled: False (unchecked).

Rationale:

Restricting write access to BitLocker-protected removable drives that were configured in another organization can hinder legitimate business operations where encrypted data sharing is necessary.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Do not allow write access to devices configured in another organization (unchecked):

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Removable Data Drives
Setting Name: Deny write access to removable drives not protected by BitLocker
Configuration: Enabled: False (unchecked)

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings.

Default Value:

Enabled: False (unchecked). (Write access will be permitted to BitLocker-protected removable drives that were configured in another organization.)

See Also

https://workbench.cisecurity.org/benchmarks/14664