You can easily block USB drive on all Intune managed corporate devices by creating a Policy on Microsoft Endpoint Manager Admin Center. There are different ways to create a policy to block USB drive or removable storage device.
Blocking of USB drive access is must for every organization as it can save the organization from data leak. In Today’s world, users are using BYOD devices or a device provided by your company. In either case, if users are accessing any confidential information from the device which can be saved and then copied to your external storage then it could be a security breach event.
To prevent this security breach, use of removable storage must be blocked on all corporate devices. However, In some cases there would be certain users / specific devices which will require USB drive access. We will exclude those devices from this policy as an exception to allow those users / devices to access removable storage / USB drives.
We will see different options to configure the policy and then perform an End user testing on a test device to confirm if its working fine.
Blocking the use of Removable storage can be done either by creating a Policy under Microsoft Endpoint Manager Center -> Endpoint Security -> Attack Surface Reduction Policy or by creating a Device Configuration Profile from Microsoft Endpoint Manager Center -> Devices -> Configuration Profiles.
Other useful Articles on Techpress
- Deploy And Manage Custom Favorites To Microsoft Edge On Windows 10 Devices Using Microsoft Intune.
- Deploying MSI Application On Windows 10 Workstations Using Microsoft Intune.
- Renew Apple MDM Push Certificate For Microsoft Intune Apple Enrollment.
- Configure Team Site Libraries To Sync Automatically Using Microsoft Intune / Endpoint Manager.
- How To Uninstall Expressvpn Application From Windows 10 Systems Using Microsoft Intune.
Attack Surface reduction Policy
Create an Attack Surface reduction (ASR) Policy by browsing to Microsoft Endpoint Manager Center -> Endpoint Security -> Attack Surface Reduction and then clicking on + Create Policy button. Select Platform as Windows 10 and Later. Profile as Device Control.
Name the Policy appropriately. For example: Block Removable Drives Policy. Provide a Description to the Policy as well.
Find the Policy setting Block Removable storage and Select Yes.
Apply this policy to either All Users or All devices.
You can also create an Azure AD security group to Exclude certain devices from this policy by Adding the group into Excluded groups.
Device Configuration Profiles
You can also use a Device Configuration Profile to block removable storage. Browse to Microsoft Endpoint Manager Center -> Devices -> Configuration Profiles and create a profile for Windows 10 and later Platform.
Click on + Create profile -> Platform Windows 10 and later -> Profile Type Templates -> Template Name Device restrictions.
Go to the General section and find Removable Storage setting and Select Block.
Assign this Policy to either All users or All devices or to a specific Azure AD Security Group. In this demo, this policy has been applied to All devices.
USB Drive Block Policy Exclusions – Option 1
Either you use ASR Policy or Device Configuration Profile, it will block USB drive access on all Intune Managed Corporate devices. However, you can create an Azure AD group, add devices into this group to allow USB drive access and exclude it from this policy.
I have created an Azure Active Directory Security Group called Block Removable Drive Policy Exception and added the devices into this group to exclude from this policy. All devices which would be added to Block Removable Drive Policy Exception group will have access to USB drive.
End User Device Testing
It will take some time for policy to take effect. To force the sync with Intune. You can go to Settings -> Accounts -> Access work or school -> click on Connected to <your organization name> -> Click on Info button- > Scroll down on this page to find Device sync status section. Click on Sync button to initiate a sync with intune from the device. Also a logoff and log back in to the system also speeds up the sync process.
After forcing a sync from my computer, it took few minute to get the policy applied and it blocked the removable drive access. As you can see the error message I get when I try to access my USB drive. Location is not available, E:\ is not accessible. Access is Denied.
Below screenshot shows a device which was in Block Removable Drive Policy Exception Azure AD group and therefore is able to access the USB drive.
USB Drive Block Policy Exclusions – Option 2
As you have seen in USB Drive Block Policy Exclusions – Option 1 that we have created an Azure AD security group called Block Removable Drive Policy Exception and added it to the Excluded group section of the Block Removable Drives Policy. This way the devices which are added to Block Removable Drive Policy Exception group will get USB drive access.
There is another way you can allow specific devices to have access to the USB drive by using a Custom OMA-URI Setting. Let’s see how to create a policy and use this option.
Create a Custom Device Configuration Profile for Windows 10 and later as shown in below screenshot:
Name the policy appropriately e.g. Allow Removable Devices – Exceptions. Also provide a Description about this policy.
Click on Add button to add OMA-URL settings.
Provide below OMA-URI Settings:
Name: Windows 10 – Allow USB Drive
Description: Allow USB Drive OMA URL Setting
Data type: Integer
Apply this policy to an Azure AD security group which contains devices on which you want to allow USB drive access. Review and then create this policy. After Intune next refresh cycle completes, those devices which are added to the Block Removable Drive Policy Exception group will have USB drive access.
As you have seen there are different ways to block USB drive access / Removable Storage Access on the devices which are managed by Microsoft Intune. There are certain users or specific devices which need to have USB drive access and this is very common scenario in every organization. Therefore, we can create an Azure AD security group and Exclude this group from this policy. However, if you can also use OMA-URI setting to allow USB drive access instead of adding an Azure AD security group to the Excluded Group of the Block Removable Drive Policy.
2 thoughts on “Block USB drives with Exceptions using Microsoft Intune”
I’m looking for the correct way to implement the following:
* Block all removable storage devices except specific list of allowed USB removable drives
I looked at the ASR devicecontrol thing but I’m struggling with wildcards for the class (tried to do “block USBSTOR\*”) but that does not seem to work (error 65000)
What does work is enter “RemovableMediaDevices” in the “primary ID” field, that blocks the devices, however, I cannot override it then with a specific USB removable drive Hardware ID.
Any thoughts ?
You can use “Allow installation of devices that match any of these Device IDs” policy in Intune to allow certain devices while still keeping the USB port blocked for all other devices. Please refer to below blog post for this. Let me know if it helps. https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb