Block USB drives with Exceptions using Microsoft Intune

You can easily block USB drive on all Intune managed corporate devices by creating a Policy on Microsoft Endpoint Manager Admin Center. There are different ways to create a policy to block USB drive or removable storage device.

Blocking of USB drive access is must for every organization as it can save the organization from data leak. In Today’s world, users are using BYOD devices or a device provided by your company. In either case, if users are accessing any confidential information from the device which can be saved and then copied to your external storage then it could be a security breach event.

To prevent this security breach, use of removable storage must be blocked on all corporate devices. However, In some cases there would be certain users / specific devices which will require USB drive access. We will exclude those devices from this policy as an exception to allow those users / devices to access removable storage / USB drives.

We will see different options to configure the policy and then perform an End user testing on a test device to confirm if its working fine.

Blocking the use of Removable storage can be done either by creating a Policy under Microsoft Endpoint Manager Center -> Endpoint Security -> Attack Surface Reduction Policy or by creating a Device Configuration Profile from Microsoft Endpoint Manager Center -> Devices -> Configuration Profiles.

Attack Surface reduction Policy

Create an Attack Surface reduction (ASR) Policy by browsing to Microsoft Endpoint Manager Center -> Endpoint Security -> Attack Surface Reduction and then clicking on + Create Policy button. Select Platform as Windows 10 and Later. Profile as Device Control.

Attack Surface reduction USB drive block Policy Intune

Name the Policy appropriately. For example: Block Removable Drives Policy. Provide a Description to the Policy as well.

Attack Surface reduction USB drive block Policy Intune

Find the Policy setting Block Removable storage and Select Yes.

Attack Surface reduction USB drive block Policy Intune

Apply this policy to either All Users or All devices.

You can also create an Azure AD security group to Exclude certain devices from this policy by Adding the group into Excluded groups.

Attack Surface reduction USB drive block Policy Intune

Device Configuration Profiles

You can also use a Device Configuration Profile to block removable storage. Browse to Microsoft Endpoint Manager Center -> Devices -> Configuration Profiles and create a profile for Windows 10 and later Platform.

Click on + Create profile -> Platform Windows 10 and later -> Profile Type Templates -> Template Name Device restrictions.

Device Configuration Profiles USB Drive Block Policy Intune

Go to the General section and find Removable Storage setting and Select Block.

Device Configuration Profiles USB Drive Block Policy Intune

Assign this Policy to either All users or All devices or to a specific Azure AD Security Group. In this demo, this policy has been applied to All devices.

Device Configuration Profiles USB Drive Block Policy Intune

USB Drive Block Policy Exclusions – Option 1

Either you use ASR Policy or Device Configuration Profile, it will block USB drive access on all Intune Managed Corporate devices. However, you can create an Azure AD group, add devices into this group to allow USB drive access and exclude it from this policy.

I have created an Azure Active Directory Security Group called Block Removable Drive Policy Exception and added the devices into this group to exclude from this policy. All devices which would be added to Block Removable Drive Policy Exception group will have access to USB drive.

Intune USB Drive Block Policy Exceptions

End User Device Testing

It will take some time for policy to take effect. To force the sync with Intune. You can go to Settings -> Accounts -> Access work or school -> click on Connected to <your organization name> -> Click on Info button- > Scroll down on this page to find Device sync status section. Click on Sync button to initiate a sync with intune from the device. Also a logoff and log back in to the system also speeds up the sync process.

Intune Force Policy Sync

After forcing a sync from my computer, it took few minute to get the policy applied and it blocked the removable drive access. As you can see the error message I get when I try to access my USB drive. Location is not available, E:\ is not accessible. Access is Denied.

Intune USB Drive Block Screenshot

Below screenshot shows a device which was in Block Removable Drive Policy Exception Azure AD group and therefore is able to access the USB drive.

Intune USB Drive Exception Screenshot

USB Drive Block Policy Exclusions – Option 2

As you have seen in USB Drive Block Policy Exclusions – Option 1 that we have created an Azure AD security group called Block Removable Drive Policy Exception and added it to the Excluded group section of the Block Removable Drives Policy. This way the devices which are added to Block Removable Drive Policy Exception group will get USB drive access.

There is another way you can allow specific devices to have access to the USB drive by using a Custom OMA-URI Setting. Let’s see how to create a policy and use this option.

Create a Custom Device Configuration Profile for Windows 10 and later as shown in below screenshot:

Intune USB Drive Block Policy Exclusions

Name the policy appropriately e.g. Allow Removable Devices – Exceptions. Also provide a Description about this policy.

Intune USB Drive Block Policy Exclusions

Click on Add button to add OMA-URL settings.

Intune USB Drive Block Policy Exclusions

Provide below OMA-URI Settings:

Name: Windows 10 – Allow USB Drive

Description: Allow USB Drive OMA URL Setting

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard

Data type: Integer

Value: 1

Intune USB Drive Block Policy Exclusions OMA URL setting

Apply this policy to an Azure AD security group which contains devices on which you want to allow USB drive access. Review and then create this policy. After Intune next refresh cycle completes, those devices which are added to the Block Removable Drive Policy Exception group will have USB drive access.

Intune USB Drive Block Policy Exclusions

Conclusion

As you have seen there are different ways to block USB drive access / Removable Storage Access on the devices which are managed by Microsoft Intune. There are certain users or specific devices which need to have USB drive access and this is very common scenario in every organization. Therefore, we can create an Azure AD security group and Exclude this group from this policy. However, if you can also use OMA-URI setting to allow USB drive access instead of adding an Azure AD security group to the Excluded Group of the Block Removable Drive Policy.

Leave a Comment