@Jon Mercer, Thanks for posting in Q&A. Yes, your understanding is correct. In fact, Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing.
For the BitLocker setting, it is tattooing.
To disable the requirement for USB drives to be BitLocker encrypted, you can check the registry key PreventDeviceEncryption. You can update the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker registry key and set the value of PreventDeviceEncryption to False. This should disable the requirement for USB drives to be BitLocker encrypted.
If the USB is already encrypted, to disable it, you need to turn off BitLocker. But you have your BitLocker PIN or password entered to decrypt the USB drive. And I don't find the method to auto-lock it. So I think you still need to ask end user to enter their BitLocker password or PIN.
https://recoverit.wondershare.com/harddrive-recovery/how-to-disable-bitlocker-windows-10.html
Note: non-Microsoft link, just for the reference.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
