Microsoft Intune – Restricting USB Storage Devices

Introduction

This guide will provide you with steps to completely block read, write, and access to all USB storage devices via Intune. Please reach out to us for a more customized policy that can include whitelisted devices, customized reporting, and more.

This process is typically used for data loss prevention (DLP) and can help prevent malicious attacks on your organization.

Requirements

  • Device operating system must be at a minimum:
    • Windows Server 2012 R2 or greater
    • Windows 10 1709 or greater
    • Windows 11
  • Windows E3 licenses
    • Windows E5 license is required to get advanced management capabilities including monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft Defender XDR portal.
  • Intune Administrator or Global Administrator Role
  • Device must have Microsoft Defender enabled and real-time protection on

Create Reusable Setting

  1. Navigate to the Microsoft Intune admin portal: https://intune.microsoft.com
  2. Navigate to Endpoint Security > Attack Surface Reduction
  • Select Add under Reusable Settings:
  • Set and name and description for the policy
  • Under Device Control select Add > Removable Storage
  • Click on Edit Instance and choose a name such as “Any USB Storage Devices”
  • Change the PrimaryId to RemovableMediaDevices and Save
  • Click Next and then Review & Save

As the name indicates, this reusable setting is able to be used in different policies configured in the next step.

Create Policy

  1. Navigate to the Microsoft Intune admin portal: https://intune.microsoft.com
  2. Navigate to Endpoint Security > Attack Surface Reduction
  • Select Create New Policy under Summary:
  • Select Windows 10, Windows 11, and Windows Server and Device Control then Create
  • Set and name and description for the policy
  • Within the configuration settings, navigate to Device Control and expand the selection and select Add
  • Within the Included ID section, this is where we will add our reusable setting we previously created. Select the name and to add it. We will leave the Excluded ID section blank
  • Select Edit Entry and choose a name such as “Deny USB Storage Devices”. Next, select Add and configure the following:
  • The configuration above denies read, write, and execute functions on USB storage devices. Select OK
  • Now we choose our assignments, it is recommended to choose a test group before rolling out changes to an entire organization. Select your group, user, and device assignments and exclusions.
    • The policy can be created with no assignments
  • Select Review & Save to create the policy.

Confirmation

Once the policy has been created, click into the policy to review the deployment status:

Here we can see that after some time the policy has successfully applied to our test device. If we choose View Report we can see more details:

User Experience

After the policy has been successfully applied, if a user were to try to use a USB storage device, they will receive a Windows notification alert similar to the following:

Reference

The below website provides additional instructions for utilizing this process.

Official Microsoft documentation for Intune Attack Surface Reduction Rules: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy

Contact Us

Looking for additional Microsoft assistance? Contact Us today to schedule a free consultation with our certified engineers!

Discover more from Covene

Subscribe to get the latest posts sent to your email.

Leave a Reply