Intune window security baseline disk encryption settings not visible/available to change

disk encryption settings are located under Administrative Templates

disk encryption settings are located under Administrative Templates

Really AI?

Where is BitLocker section in baseline configuration???

Security baselines and standalone Disk Encryption policies are separate profiles that can both configure BitLocker, including removable drive settings. When both are assigned and try to manage the same BitLocker setting, Intune reports a conflict and the setting does not apply.

Key points from the baseline definitions in the context:

• Several Intune security baselines explicitly configure BitLocker removable drive policy and block write access to removable drives that are not protected by BitLocker:
  • Windows MDM baselines (August 2020, December 2020, November 2021):
    • BitLocker removable drive policy = Configure
    • Block write access to removable data-drives not protected by BitLocker = Yes
  • Microsoft Defender for Endpoint baselines (for example, March 2020, September 2020) also configure BitLocker, including full disk encryption and removable drive policy.

Because the baseline is already enforcing “Block write access to removable data-drives not protected by BitLocker = Yes”, a separate Disk Encryption profile that tries to disable that requirement for USB drives will conflict.

To remove the requirement for BitLocker on removable drives and avoid conflicts:

1. Identify which baseline(s) are assigned to the affected devices (Windows MDM security baseline, Microsoft Defender for Endpoint baseline, or both).
2. In Intune, edit that baseline profile instead of using a separate Disk Encryption profile:
   • Go to the baseline configuration and locate the BitLocker section.
   • For BitLocker removable drive policy, either:
     • Set it to Not configured, or
     • Keep it configured but change Block write access to removable data-drives not protected by BitLocker from Yes to Not configured (or the equivalent relaxed setting in that baseline version).
3. Save and re-deploy the updated baseline. This removes the enforced block on unencrypted USB drives from the baseline itself, so there is no longer a policy conflict.
4. If a separate Disk Encryption profile is still needed for other BitLocker settings, ensure it does not try to override the same removable-drive settings that the baseline is configuring. Prefer to manage each BitLocker area (OS, fixed, removable) from a single profile.

If the goal is simply to stop enforcing encryption on USB drives, the most reliable approach is to relax or disable the removable drive BitLocker settings in the baseline and avoid configuring those same settings in another Disk Encryption policy.

References:

• Windows MDM security baseline settings reference for Microsoft Intune (mdm-december-2020)
• Windows MDM security baseline settings reference for Microsoft Intune (mdm-august-2020)
• Windows MDM security baseline settings reference for Microsoft Intune (mdm-november-2021)
• Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune (atp-march-2020)
• Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune (atp-sept-2020)
• Disk encryption policy settings for endpoint security in Intune