Block USB Drives within Microsoft Intune
Today, I want to show you how you can block USB Drives within Microsoft Intune.
Introduction
When looking to block USB drives within Microsoft Intune, it’s very important to plan ahead as a failure to do so may cause disruption to users and require extra additional steps to remediate, the main question that should be answered before proceeding is “Do I want to block all users or a subset of users from accessing USB drives?” Decide this early, if you wish to allow USB drives for a subset of users then create an additional AAD group with the users or devices present so we can exclude them from the policy.
Prerequisites
- AAD group for USB Allowed users (if applicable)
- Administrative permissions within Intune
- Basic understanding of Intune Configuration Profiles
- Intune license
- Intune licensed test user
- Intune enrolled test device (physical)
Block USB drives
Creating the Endpoint Security Device Control Profile
This section will show you how to implement an overall policy to block USB drives within Microsoft Intune in their entirety, to get started, log into the MEMAC portal, navigate to Endpoint Security, under manage, select Attack surface reduction and Create Policy:
Select a platform of Windows 10 and later and a profile of Device control:
Add an appropriate Name and Description:
On the Configuration Settings page, select Yes, under Block removeable storage:
Assign the endpoint security profile your test device \ user and ensure that you have also applied your exclusion group under excluded groups, failure to do so will require applying an explicit policy to allow USB drives again.
User Experience
Once the policy has been assigned, when inserting a USB drive the following experience is present within File explorer:
From within PowerShell:
You can still format the drive within Disk Manager, but unable to access the actual content:
Bonus Tip: Beware of the Tattoo
Issue
Be mindful when excluding devices \ users from profiles within Intune, some settings do not revert, some configurations and in particular the Block Removeable Storage policy is set to either Yes or Not Configured within Intune, when excluding groups from this setting or changing the selection back to Not configured after it’s been applied previously, this does not mean that the restriction no longer applies on the device, it means that it’s no longer enforced, this is why it’s very important to test and gather all requirements upfront if you’ve applied the Block Removeable Storage policy to all users, where now you need to exclude a few users, for example, you’ll need to explicitly allow removable storage again and exclude users from original policy, see below, this registry setting is still present even though I’ve removed the device from the assignment:
Resolution
To explicitly allow Removeable Storage from within Intune again, create a Custom OMA-URI configuration profile and enter the following:
Setting | Value |
---|---|
Name | Win10 – Allow Removable Storage |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard |
Data Type | Integer |
Value | 1 |
After successfully being applied, a restart is required to allow access to USB storage devices again.
Thanks for reading! What did you think of the above? Have a better way of controlling USB devices, if so, leave a comment or send me a message on Twitter.
I Have Seen a case Where we have excluded the group from the policy after the deployment and in the reg Value we see
Allow storage is set to 1
Still the USB media is access denied.
In this case do we still use the OMA URI given reg value is already 1.
Any other suggestions on this.
Hi Prakash,
Make sure that when you’re excluding that you’re using the same type of groups, e.g. If you used a user based group to include then use a user based group to exclude (same method goes for device groups) do not mix and match user and device groups, also make sure on the USB drive block profile that the users \ devices that you’ve excluded are now showing up as ‘non-applicable’, is this the case? In addition, what does your OMA URI key report back?
Hello,
We have a problem.We don’t want to allow same model usbs. Two san disk ultra usb 3.0. We allow the first but I want to block other usb of same model. Do you have any information about this subject?
Hello,
This should point you in the right direction: https://youtu.be/XCC8zSChflQ
Thanks,
Alex.
Hello Alex,
Will this block Windows 10 flash drive ? or is it only for storage accessed by the user.
Say for example I want to launch from BIOS into a USB stick to format a laptop due to malfunction.
Is this going to block it ?
Hello,
Will this block launching into a Win 10 flash drive from BIOS?
OR does this only affects external storage plugged in when the user is logged in ?
Hi Edward,
This will only block USB mass storage devices within the OS itself and not the BIOS.
Thanks
Alex.