Disable USB require Bitlocker encyption

Jon Mercer 991 Reputation points
2023-09-28T18:27:42.95+00:00

At some point I setup Intune to require USB drives to be bitlocker encrypted but I can't find where I did that, and all the places documentation has sent me, the policy is not there. I am guessing at some point in the past. I had enabled this and then disabled it later months ago and forgot about it.

User's image

In one article I saw mention that makes it look like even if I had removed the requirement a registry change had been made. If this is true, where would the key be to change it to not be required. I am running Windows 10 Enterprise.

Doesn't look like it can be done from what I have seen and read, but is there a way to have an encrypted bitlocker USB to auto-unlock in the system it was bitlockered? Don't want to deal with passwords.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,413 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,088 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jon Mercer 991 Reputation points
    2023-10-02T15:21:38.86+00:00

    Do I need to add the key and if so, is it just a DWord or something else? I don't see PreventDeviceEncryption as an option.

    Just to ask, this won't cause the main workstation to lose encryption?

    User's image

    1 person found this answer helpful.

  2. Crystal-MSFT 48,766 Reputation points Microsoft Vendor
    2023-09-29T02:52:19.51+00:00

    @Jon Mercer, Thanks for posting in Q&A. Yes, your understanding is correct. In fact, Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#a-profile-is-deleted-or-no-longer-applicable

    For the BitLocker setting, it is tattooing.

    To disable the requirement for USB drives to be BitLocker encrypted, you can check the registry key PreventDeviceEncryption. You can update the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker registry key and set the value of PreventDeviceEncryption to False. This should disable the requirement for USB drives to be BitLocker encrypted.

    If the USB is already encrypted, to disable it, you need to turn off BitLocker. But you have your BitLocker PIN or password entered to decrypt the USB drive. And I don't find the method to auto-lock it. So I think you still need to ask end user to enter their BitLocker password or PIN.

    https://recoverit.wondershare.com/harddrive-recovery/how-to-disable-bitlocker-windows-10.html

    Note: non-Microsoft link, just for the reference.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.