Get more device control flexibility with BitLocker settings in Defender for Endpoint

With hybrid work here to stay and data-centric cyberattacks on the rise, safeguarding sensitive information is critical to every security strategy. While data loss prevention (DLP) is often considered for cloud locations, the management of removable devices such as USBs is equally important, to help ensure that data-at-rest is and integrity and confidentiality of sensitive information is maintained.

We're excited to announce that for Endpoint device control support for BitLocker is now in public preview. This new feature provides security admins with more granular control through policy exceptions for BitLocker devices.

Comprehensive management of removable devices

BitLocker encryption has long been recognized for its ability to protect data on devices by encrypting the entire drive, ensuring that data remains inaccessible to unauthorized users. With the integration of BitLocker device control, organizations can now seamlessly integrate their for Endpoint policies with BitLocker's best-in-class encryption for a comprehensive method to manage access to removable storage based on the BitLocker encryption state.

This flexibility allows administrators to require BitLocker encryption, and then manage exceptions for other trusted devices and users.

Figure 1: Encryption state device controlFigure 1: Encryption state device control

Figure 1 shows device control with a new descriptor Id called DeviceEncryptionStateId that includes or excludes devices in rules by encryption state (BitlockerEncrypted or Plain). This descriptorId can be added to groups that are managed via Intune (OMA-URI) or

Setting up device control

Setting up device control with an approved list can be configured with 3 rules:

  1. Allow unencrypted removable media devices read only access – which applies to all removable media devices except BitLocker and unencrypted devices that are specifically added
  2. Allow unencrypted removable media devices with an exception full access – which applies to all allowed BitLocker unencrypted devices
  3. Allow BitLocker encrypted removable media full device access – which applies to all the BitLocker encrypted devices


Figure 2: Approved devices configurationFigure 2: Approved devices configuration

The policy can be tested by using three-different removable media devices:

  • Green USB (BitLocker encrypted)
  • Blue USB (unencrypted, but granted full access)
  • Red USB (read-only)

Figure 3: Approved devices configurationFigure 3: Approved devices configuration

Figures 3 and 4 show that when device control blocks access, and there is an audit rule defined, a ReusableStorageAcessTrigger event gets created—visible in Advanced Hunting. 

Figure 4: Results when a Green USB, Blue USB, and Red USB are insertedFigure 4: Results when a Green USB, Blue USB, and Red USB are inserted

End user experience

A notification is also sent to the end-user to provide awareness.

Figure 5: Notification to the device-ownerFigure 5: Notification to the device-owner

Comprehensive endpoint security
 The release of BitLocker device control combines the policy enforcement capabilities of for Endpoint with the robust encryption of BitLocker and gives admins new flexibility in device control to use BitLocker encrypted devices at scale. 

 Get more information:


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.