Today, I want to show you how you can block USB Drives within Microsoft Intune.
When looking to block USB drives within Microsoft Intune, it’s very important to plan ahead as a failure to do so may cause disruption to users and require extra additional steps to remediate, the main question that should be answered before proceeding is “Do I want to block all users or a subset of users from accessing USB drives?” Decide this early, if you wish to allow USB drives for a subset of users then create an additional AAD group with the users or devices present so we can exclude them from the policy.
- AAD group for USB Allowed users (if applicable)
- Administrative permissions within Intune
- Basic understanding of Intune Configuration Profiles
- Intune license
- Intune licensed test user
- Intune enrolled test device (physical)
Block USB drives
Creating the Endpoint Security Device Control Profile
This section will show you how to implement an overall policy to block USB drives within Microsoft Intune in their entirety, to get started, log into the MEMAC portal, navigate to Endpoint Security, under manage, select Attack surface reduction and Create Policy:
Select a platform of Windows 10 and later and a profile of Device control:
Add an appropriate Name and Description:
On the Configuration Settings page, select Yes, under Block removeable storage:
Assign the endpoint security profile your test device \ user and ensure that you have also applied your exclusion group under excluded groups, failure to do so will require applying an explicit policy to allow USB drives again.
Once the policy has been assigned, when inserting a USB drive the following experience is present within File explorer:
From within PowerShell:
You can still format the drive within Disk Manager, but unable to access the actual content:
Bonus Tip: Beware of the Tattoo
Be mindful when excluding devices \ users from profiles within Intune, some settings do not revert, some configurations and in particular the Block Removeable Storage policy is set to either Yes or Not Configured within Intune, when excluding groups from this setting or changing the selection back to Not configured after it’s been applied previously, this does not mean that the restriction no longer applies on the device, it means that it’s no longer enforced, this is why it’s very important to test and gather all requirements upfront if you’ve applied the Block Removeable Storage policy to all users, where now you need to exclude a few users, for example, you’ll need to explicitly allow removable storage again and exclude users from original policy, see below, this registry setting is still present even though I’ve removed the device from the assignment:
To explicitly allow Removeable Storage from within Intune again, create a Custom OMA-URI configuration profile and enter the following:
|Name||Win10 – Allow Removable Storage|
After successfully being applied, a restart is required to allow access to USB storage devices again.
Thanks for reading! What did you think of the above? Have a better way of controlling USB devices, if so, leave a comment or send me a message on Twitter.