How to create a BitLocker policy to exclude a specific USB model from encryption

 



BitLocker is one of Microsoft's well known policies to secure drives by encrypting them, using different encryption methods.

It is not a new method, it has been around since SCCM, and when Intune was introduced, it became available on the cloud side. The new policy will focus on TPM 2.0, which has become mandatory for Windows 11.

There are many fantastic blogs in our community about BitLocker details, and Microsoft has well documented it, so I will go very quickly on how to configure it, because my blog is about USB encryption.

How to configure BitLocker Policy:-

You can do it in different ways, by configuring a new policy under ‘Devices’, or you can do it from ‘Endpoint Security. I personally prefer the  2nd way.


Endpoint Security>Device encryption> create a new policy and select Windows and BitLocker



Configuration settings:-

These settings have many submenus (I'm doing Entra join if you have a different selection, AD, or both, like I did).

BitLocker:





BitLocker Drive Encryption: I used the highest and most secure method 256, please check the Microsoft document for the best method for you.



Operating System Drives: This section has many settings, so please take your time to go through it.






Fixed Data Drives






 

Removable Data Drives



Now the encryption has started as expected.


We began with our focus point. This setting will encrypt any drive on the computer, including removable drives like USBs. The customer’s security team was seeking a setting to exclude a specific USB model they want to use, and they do not want it to be encrypted.

Unfortunately, there is no setting in Intune. However, after extensive research, I found that a Configuration Service Provider (CSP) can do it for me.  

Here is how to configure it:-

Create a new policy>Windows 10 and later>Templates>Custom


After you name it, now we have to configure it,

Name: Give it a name, I name it ‘USE Drives Excluded From Encryption’

Description: As you wish.

OMA-URI: ./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption

Data type: String

Value: USBSTOR\DiskPNY_____USB_2.0_FD______PMAP

 

Now, let me explain the CSP custom policy,

·         This is a Device policy, NOT a User policy, so ensure to target devices, not Users.

·         The Value depends on your USB type and model, you need to get this information from Compute Management>USB>Properties>Details>Hardware Ids


In my case, I used a USB ‘PNY.’ As you can see here, there are many values. What you need to understand is that, according to my test, these values are different, for example:

Value: USBSTOR\DiskPNY_____USB_2.0_FD______PMAP, this value targets a very specific model. I used this one.


Value: USBSTOR\DiskPNY_____USB_2.0_FD______, this value is a broad model of PNY related to USB_2.0_FD, regardless of the firmware.

Value: USBSTOR\DiskPNY_____, this value is not ideal because it is too broad and could include all PNY models, as well as other values like PNY_____USB_2.0_FD______P, USBSTOR\GenDisk, and GenDisk. The last two could include any USB device.

Value: USBSTOR\PNY_____USB_2.0_FD______P, PNY_____USB_2.0_FD______P. These two values did not work for my test. They appear to be invalid values.

 

You can also specify multiple values separated by commas. This setting was approved, as the customer had requested, and we successfully excluded their USB-specific model and firmware from the Drive Encryption prompt.



I hope this helps with your issue, and thank you for reading.

 

References:

BitLocker Overview | Microsoft Learn

BitLocker CSP | Microsoft Learn


Comments

Post a Comment

Popular posts from this blog

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Read more

Windows Autopatch Hotpatch

Image
Windows Autopatch Hotpatch I am sure all of you guys are about to get busy for Thanksgiving! this is a short blog about Hotpatch. This morning, while I was checking for updates regarding my tenants and looking for the new hardware inventory setting, I was pleased to see that the new setting “ Hotpatch for Windows ” had appeared in my tenant. Before we discuss it, let’s first go over the details. We are all familiar with quality updates and the security patches released on the second Tuesday of each month. Microsoft has created a hotpatch for Windows 11 24H2 that allows these updates to be applied without requiring a restart. Typically, after monthly updates, the device must restart to install all security patches and to update the build number (the last four digits of Windows). According to Microsoft, there will be two types of updates each quarter. The first update will occur in January, April, July, and October and will include a full security patch and new features, requiring the de...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more