Excluding removable USB-drives from automatic encryption

This week a short blog post to address a scenario that’s been challenging for a while. That scenario is around removable USB-drives and automatic encryption. When organizations have configured that removable drives require encryption, that introduces challenges with storage built into specialized devices like video cameras, voice recorders, conferencing systems, medical devices and many more. That would also require that type of storage to be required, when read access wasn’t sufficient. That, however, would often cause more problems than solutions. To address that challenge, Microsoft has introduced a new policy. That policy can be used to create an exclusion list of devices for which the user will not be prompted for encryption. Even when encryption of removable drives is required. This post will introduce that new policy setting and will walk through the configuration of that policy setting. This post will end with the user experience.

Note: The configuration to require encryption of removable drives is referring to using the RemovableDrivesRequireEncryption policy setting when using MDM, or to using the Deny write access to removable drives not protected by BitLocker when using Group Policy.

Important: This post relies on functionality that is at the moment of writing only available in Windows 11 Insider Preview Builds in the Dev Channel. Setting is available starting with Windows 11 Insider Preview Build 22579.

Creating custom device configuration policy to exclude removable drives

Starting with Windows 11 Insider Preview Build 22579, Microsoft introduced a new policy setting as part of the BitLocker CSP. That new policy setting is RemovableDrivesExcludedFromEncryption. A nice self explanatory setting that can be used exclude removable drives from the encryption requirement. That setting requires a String data type value of the Hardware ID of the removable drive. The Hardware ID can be found in the Details tab in the Properties of a device in the Device Manager. When multiple drives should be listed, the different values can be separated by a comma. The following nine steps walk through the process of adding this new policy setting in Microsoft Intune and distributing it to Windows 11 devices.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create profile to open the Create a profile page
3. On the Create a profile page, provide the following information and click Create

• Platform: Select Windows 10 and later as value
• Profile type: Select Templates as value
• Template name: Select Custom as value

4. On the Basics page, provide a unique Name to distinguish the profile from other custom profiles and click Next
5. On the Configuration settings page (as shown below in Figure 1), click Add to open the Add Row page. On the Add Row page, provide the following information and click Add (and click Next back on the Configuration settings page)

• Name: Provide a valid name for the OMA-URI setting as value
• Description: (Optional) Provide a valid description for the OMA-URI setting as value
• OMA-URI: Provide ./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption as value
• Data type: Select String as value
• Value: Provide the HardwareID of the USB-drive as value

Note: The configuration in Figure 1 is using the Hardware ID of a SanDisk removable USB-drive as an example.

6. On the Scope tags page, configure the applicable scopes and click Next
7. On the Assignments page, configure the assignment and click Next
8. On the Applicability rules page, configure the applicability rules (think about the existence of this setting for only the specific Windows Insider build and later) and click Next
9. On the Review + create page, verify the configuration and click Create

Note: The expectation is that this policy setting will, in time, become directly configurable within the Microsoft Endpoint Manager admin center, as part of one of the existing configuration templates (or the Settings Catalog).

User experience with excluded removable drives

When looking at the user experience, the most important part is that the removable USB-drive works for the user. That can be shown by physically insertting a removable USB-drive in to the device. That, however, is impossible to show in a screenshot. What can be shown is a succesful exclusion in the Event Viewer. The System log contains Event ID 24701 that provides information about the exclusion, once the user inserts the removable USB-drive. That event revers to the volume (as shown with number 1 and 3 in Figure 2) and the specific Hardware ID (as shown with number 2 in Figure 2). The Hardware ID relates to the configured Hardware ID in the created configuration.

More information

For more information about the new setting to exclude removable USB-drives, refer to the following docs.

• Announcing Windows 11 Insider Preview Build 22579 | Windows Insider Blog
• Hardware ID – Windows drivers | Microsoft Docs