Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Get more device control flexibility with BitLocker settings in Defender for Endpoint
Published Jun 24 2024 02:52 PM 5,227 Views

With hybrid work here to stay and data-centric cyberattacks on the rise, safeguarding sensitive information is critical to every security strategy. While data loss prevention (DLP) is often considered for cloud storage locations, the management of removable storage devices such as USBs is equally important, to help ensure that data-at-rest is encrypted and integrity and confidentiality of sensitive information is maintained.


We’re excited to announce that Defender for Endpoint device control support for BitLocker is now in public preview. This new feature provides security admins with more granular control through policy exceptions for BitLocker encrypted devices.


Comprehensive management of removable storage devices

BitLocker encryption has long been recognized for its ability to protect data on devices by encrypting the entire drive, ensuring that data remains inaccessible to unauthorized users. With the integration of BitLocker device control, organizations can now seamlessly integrate their Defender for Endpoint policies with BitLocker’s best-in-class encryption for a comprehensive method to manage access to removable storage based on the BitLocker encryption state.

This flexibility allows administrators to require BitLocker encryption, and then manage exceptions for other trusted devices and users.


Figure 1: Encryption state device controlFigure 1: Encryption state device control


Figure 1 shows device control with a new descriptor Id called DeviceEncryptionStateId that includes or excludes devices in rules by encryption state (BitlockerEncrypted or Plain). This descriptorId can be added to groups that are managed via Intune (OMA-URI) or Group Policy




Setting up device control

Setting up device control with an approved list can be configured with 3 rules:

  1. Allow unencrypted removable media devices read only access – which applies to all removable media devices except BitLocker encrypted and unencrypted devices that are specifically added
  2. Allow unencrypted removable media devices with an exception full access – which applies to all allowed BitLocker unencrypted devices
  3. Allow BitLocker encrypted removable media full device access – which applies to all the BitLocker encrypted devices


Figure 2: Approved devices configurationFigure 2: Approved devices configuration


The policy can be tested by using three-different removable media devices:

  • Green USB (BitLocker encrypted)
  • Blue USB (unencrypted, but granted full access)
  • Red USB (read-only)

Figure 3: Approved devices configurationFigure 3: Approved devices configuration


Figures 3 and 4 show that when device control blocks access, and there is an audit rule defined, a ReusableStorageAcessTrigger event gets created—visible in Advanced Hunting. 



Figure 4: Results when a Green USB, Blue USB, and Red USB are insertedFigure 4: Results when a Green USB, Blue USB, and Red USB are inserted



End user experience

A notification is also sent to the end-user to provide awareness.


Figure 5: Notification to the device-ownerFigure 5: Notification to the device-owner



Comprehensive endpoint security
 The release of BitLocker device control combines the policy enforcement capabilities of Defender for Endpoint with the robust encryption of BitLocker and gives admins new flexibility in device control to use BitLocker encrypted devices at scale. 


 Get more information:

1 Comment
Version history
Last update:
‎Jun 24 2024 02:52 PM
Updated by: