Need to create exception policy to USB for read/ Write access without encryption

Question

Need to create exception policy to USB for read/ Write access without encryption

TechUST 601

Hi Expert,

In my environment i have created disk encryption policy for all autopilot devices and assigned to group.

Configured - (BitLocker base setting, BitLocker fixed drive setting, BitLocker OS drive setting & BitLocker removal drive setting.)

As per current encryption policy setting for removal drive - USB drive can't access for autopilot devices also removal drive getting encrypted. 1000035820

Requirement- I need exception policy for few users to read/Write access for USB drive without encryption. I tried to create another disk encryption policy and keep all setting same except removal drive (tried to set BitLocker removal drive setting not configured) but getting error " (Encryption method setting for all drive type must have configured or all drive type must be not configured) "

Is there any way that i can create policy or other method to create exception for removal drive for USB read/write access without encryption. so that i can create group and assign exception policy on that and exclude that group from current disk encryption policy but i need to keep all encryption drive setting except removal drive encryption setting on exception devices.

1 answer

Your answer

Answer 1

Crystal-MSFT 53,981 Microsoft External Staff

@TechUST, Thanks for posting in Q&A. To create an exception policy for USB read/write access without encryption, you can create a separate policy for the group of the Autopilot devices. In the policy, you can configure the BitLocker removal drive setting to "Not configured". For other drives, configure the setting you want as the previous policy.

And also add the Autopilot device group under exclude of the previous policy.

User's image

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

TechUST 601 Reputation points

2023-10-17T04:03:05.93+00:00

Hi, Thanks for reply. I tried to create separate policy for usb read write without encryption ( tried to configure BitLocker removal drive setting to "Not configured) and i keep the all settings as the previous policy but getting error while i click next to create the policy. (Encryption method setting for all drive type must have configured or all drive type must be not configured) " Can you please test this scenario in your test environment.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-17T05:21:05.63+00:00

@TechUST, Thanks for the reply. Could you get screen shots of the configuration settings? I will test to see if I can create in my environment.
TechUST 601 Reputation points

2023-10-17T05:51:14.05+00:00

Hi please find.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-17T06:16:35.8733333+00:00

@TechUST, Thanks for the reply. Based on my checking in my environment, I find it seems the setting in disk encryption under Endpoint Security has updated.

Could you confirm if we configure it under endpoint Security? If we create a new policy, will the result be different?
TechUST 601 Reputation points

2023-10-17T07:40:11.35+00:00

Yes current policy configured under disk encryption. And I tried to configure new policy for exception in disk encryption. But getting error -usb read/write without encryption. You can test with disk encryption policy.(Encryption method setting for all drive type must have configured or all drive type must be not configured) " I created duplicate policy with current disk encryption policy and tried to configure removable "not configured" but getting same error.
TechUST 601 Reputation points

2023-10-17T11:06:01.1066667+00:00

Hi' can you please share screenshot for exception policy if you tested. I will test in my environment
TechUST 601 Reputation points

2023-10-17T13:43:14.5366667+00:00

Yes it's seems settings has updated under disk encryption. Can you please create new policy based on my current policy and share screenshot.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-18T02:29:08.9533333+00:00

@TechUST, Thanks for the reply. Here is the policy I set which the removable Data Drive as not configure which other drives set as below:
TechUST 601 Reputation points

2023-10-18T04:30:41.58+00:00

Thanks for reply, yesterday i tried to configure policy and set configurations for all drive but when i deploy the policy there are lots conflict. Can you compare with policy which I have shared screenshot and set policy for all drive similarly as old one. And please share screenshot
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-18T05:18:40.8166667+00:00

@TechUST, Thanks for the reply. To check which policy setting conflict, we can choose one device and check the per setting status to see which policy is conflict

https://learn.microsoft.com/en-us/mem/intune/fundamentals/reports#per-setting-status-report-operational
TechUST 601 Reputation points

2023-10-18T06:28:50.25+00:00

Hi, thanks for sharing article. Is there possibility if you can share screenshot of all drive policy as similar as what i shared screenshot.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-18T07:16:23.9566667+00:00

@TechUST, Thanks for the reply. Did you mean the screen shots as below:
TechUST 601 Reputation points

2023-10-18T15:51:16.9666667+00:00

Yes this screenshot but I need configurations all drive as similar in the previous policy which is configured in my environment even i have shared screenshot. Because disk encryption policy settings updated I am quite confused so please compare with my screenshot for the old policy settings and configure the policy and share the screenshot
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-19T07:10:17.11+00:00

@TechUST, Thanks for posting in Q&A. After comparing the configuration with the previous setting with the new ones. Here is the policy setting I think for you
TechUST 601 Reputation points

2023-10-22T11:12:19.5133333+00:00

Hi, thanks for sharing snapshot. Already configured intune disk encryption policy and deploy on "A" group (production group) also created USB exception disk encryption policy as per your snapshot configuration and deployed on " B" group (exception group). B group devices are also part of "A" group so I have excluded "B" group from 1st disk encryption policy. But I can see both policies are appearing as success for "B" group devices under device configuration. Please help. I have done sync also it's been 3 days but reflecting both policies under device configuration i am not sur why old policy getting appeared even exception group already excluded from old policy. Please suggest
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2023-10-23T02:38:50.03+00:00

@TechUST, Thanks for the reply. From your description, I know the exclude is not working. I suggest open case to analyze logs to get more help:

https://learn.microsoft.com/en-us/mem/get-support

Share via

Need to create exception policy to USB for read/ Write access without encryption

1 answer

Your answer