Block USB Drives within Microsoft Intune

Today, I want to show you how you can block USB Drives within Microsoft Intune.

Introduction

When looking to block USB drives within Microsoft Intune, it’s very important to plan ahead as a failure to do so may cause disruption to users and require extra additional steps to remediate, the main question that should be answered before proceeding is “Do I want to block all users or a subset of users from accessing USB drives?” Decide this early, if you wish to allow USB drives for a subset of users then create an additional AAD group with the users or devices present so we can exclude them from the policy.

Prerequisites

  • AAD group for USB Allowed users (if applicable)
  • Administrative permissions within Intune
  • Basic understanding of Intune Configuration Profiles
  • Intune license
  • Intune licensed test user
  • Intune enrolled test device (physical)

Block USB drives

Creating the Endpoint Security Device Control Profile

This section will show you how to implement an overall policy to block USB drives within Microsoft Intune in their entirety, to get started, log into the MEMAC portal, navigate to Endpoint Security, under manage, select Attack surface reduction and Create Policy:

Creating a policy to block USB drives within Microsoft Intune.

Select a platform of Windows 10 and later and a profile of Device control:

Add an appropriate Name and Description:

On the Configuration Settings page, select Yes, under Block removeable storage:

Block USB Drives profile setting.

Assign the endpoint security profile your test device \ user and ensure that you have also applied your exclusion group under excluded groups, failure to do so will require applying an explicit policy to allow USB drives again.

User Experience

Once the policy has been assigned, when inserting a USB drive the following experience is present within File explorer:

From within PowerShell:

You can still format the drive within Disk Manager, but unable to access the actual content:

Bonus Tip: Beware of the Tattoo

Issue

Be mindful when excluding devices \ users from profiles within Intune, some settings do not revert, some configurations and in particular the Block Removeable Storage policy is set to either Yes or Not Configured within Intune, when excluding groups from this setting or changing the selection back to Not configured after it’s been applied previously, this does not mean that the restriction no longer applies on the device, it means that it’s no longer enforced, this is why it’s very important to test and gather all requirements upfront if you’ve applied the Block Removeable Storage policy to all users, where now you need to exclude a few users, for example, you’ll need to explicitly allow removable storage again and exclude users from original policy, see below, this registry setting is still present even though I’ve removed the device from the assignment:

Resolution

To explicitly allow Removeable Storage from within Intune again, create a Custom OMA-URI configuration profile and enter the following:

SettingValue
NameWin10 – Allow Removable Storage
OMA-URI./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard
Data TypeInteger
Value1

After successfully being applied, a restart is required to allow access to USB storage devices again.

Thanks for reading! What did you think of the above? Have a better way of controlling USB devices, if so, leave a comment or send me a message on Twitter.

7 thoughts on “Block USB Drives within Microsoft Intune

  • 30/04/2021 at 10:46 AM
    Permalink

    I Have Seen a case Where we have excluded the group from the policy after the deployment and in the reg Value we see

    Allow storage is set to 1

    Still the USB media is access denied.

    In this case do we still use the OMA URI given reg value is already 1.

    Any other suggestions on this.

    • 30/04/2021 at 12:22 PM
      Permalink

      Hi Prakash,

      Make sure that when you’re excluding that you’re using the same type of groups, e.g. If you used a user based group to include then use a user based group to exclude (same method goes for device groups) do not mix and match user and device groups, also make sure on the USB drive block profile that the users \ devices that you’ve excluded are now showing up as ‘non-applicable’, is this the case? In addition, what does your OMA URI key report back?

  • 11/11/2021 at 8:02 AM
    Permalink

    Hello,
    We have a problem.We don’t want to allow same model usbs. Two san disk ultra usb 3.0. We allow the first but I want to block other usb of same model. Do you have any information about this subject?

  • 18/02/2022 at 8:14 PM
    Permalink

    Hello Alex,

    Will this block Windows 10 flash drive ? or is it only for storage accessed by the user.
    Say for example I want to launch from BIOS into a USB stick to format a laptop due to malfunction.
    Is this going to block it ?

  • 18/02/2022 at 8:16 PM
    Permalink

    Hello,

    Will this block launching into a Win 10 flash drive from BIOS?
    OR does this only affects external storage plugged in when the user is logged in ?

    • 18/02/2022 at 9:18 PM
      Permalink

      Hi Edward,

      This will only block USB mass storage devices within the OS itself and not the BIOS.

      Thanks
      Alex.

Comments are closed.