In this post we will discuss about ways to protect corporate data, prevent save to removable media and ensure proper encryption of those using BitLocker.
Corporate data are very important and it is crucial to protect them. Many users use USB drives to store and move their data from one machine to another. In order to protect those corporate data we may need to deny (or limit) data transfer to external storage media. To achieve this on Intune managed devices we can create a configuration profile that blocks these kind of actions. Another approach would be to allow USB usage but only when the device is encrypted. We will discuss both of these approaches.
Table of Contents
Block USB usage (Configuration Profile)
We can block the transfer of data to external USB storage by creating a configuration profile in Intune. First head to Intune and Configuration profiles and create a new one. Choose “Windows 10 and later” as the Platform and “Settings Catalog” in the Profile Type.
Give a name and a description to your profile.
Now in the Settings Catalog choose “Add settings” and search for “removable storage access”. This search will fetch all the settings related to external storage media.
As you can see here we have many settings related to removable media. We can deny access to all removable storage, deny read or write access to specific media only etc.. The one that fulfills our requirement is the first one, that will deny all access.
Assign the profile to the desired groups and create it. Wait for the policy to be assigned to your endpoints and verify the behavior.
As you can see below when a USB device is connected to a device that has the above policy assigned, the access to it is denied automatically.
If we try to open the removable media, we get the below message.
! Tip
A very good approach here is to have a specific group that you will use to exclude devices that may require for a specific business reason to transfer data to USB media. Create an Azure AD group that will have those devices as its members and assign it to the exclude section of the configuration profile.
Enforce Encryption of removable storage
Another approach is to allow file transfer but only to encrypted external USB media. We can enforce encryption of removable media via Intune in order to allow users to move data to them and ensure that data are stored in an encrypted storage.
To do the above we have to create a Disk Encryption profile. Create a new Policy and select BitLocker as profile type.
Give a name and a description to the profile and move forward.
Here we have 2 options. The first one is is choose various settings from the Administrative Templates and the second one is to choose specific settings for BitLocker. The settings related to the removable devices are under Administrative Templates.
The 2 below settings allow us to require an encrypted storage media in order to save file there.
After selecting the settings, assign the profile to the desired group and then create the profile.
Now every time a user plugs a removable device to a device assigned to this policy, a message to encrypt the drive in order to be able to save files there will be shown.
Let’s see the end user experience. We suppose that we have an end user that wants to save files from their managed device to a USB drive. The user connects the USB to the device and the following message is prompted.
If the user does not select to encrypt the device, they will be only able to see the context and the files of the USB, but not allowed to save any files there.
To be able to save files the user must encrypt the device. When the user selected to encrypt the device using BitLocker, the encryption process will start.
References and documentation:
- BitLocker CSP
- Manage BitLocker policy for Windows devices with Intune
- Disk encryption policy settings for endpoint security in Intune
Check the below posts to find out more on how to protect you data and devices: