This Document covers the steps to block removable storage using Intune. We can restrict or block access to USB drives using Device Control profile in Intune (Endpoint Manager).
By creating the Endpoint Security Device Control Profile in Intune, we can define the settings to block the USB device access.
Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats.
Microsoft provides an alternate way to restrict access to USB devices by using Administrative Templates in Intune. However, with an Intune device control profile, it is much easier to block removable storage.
Why Block USB drives in Intune?
For any organization security comes first. USB drives are one of the means through which a malware can easily enter the computer.
The first time We connect a device that plugs into a USB port, Windows automatically identifies the device and installs a driver for that device.
To prevent malware, spyware, ransomeware, virus from infections or data loss in our organization, we may want to block certain kinds of USB devices by using Enpoint Management (Intune).
Some common examples of removable storage that we should block including a USB flash drive, camera etc.
Data loss via USB thumb drives isn’t something new. Organizations that allow employees to use USB removable drives to store sensitive information (for work) are always at the risk of data loss if there is no proper data loss control measures in place.
On the other hand, we want to allow access to other kinds of USB devices, such as a keyboard or mouse. Hence, we must decide that do We want to block USB device access for all users or a subset of users.
Steps to block Removable Storage using Intune
Let’s create an Endpoint Security Device Control Profile to block removable storage using Intune. Sign in to the Microsoft Endpoint Manager admin center. Select Endpoint Security > Attack Surface Reduction > Create Policy.
On the Create a profile window, select the Platform as Windows 10 and later and Profile as Device Control. Click Create.
Note – Microsoft recommends a layered approach to securing removable media. Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising our devices.
On the Basic tab, specify the name of the profile as block removable storage. We can also add a description that helps other admins understand what this profile is about. Click Next.
The Configuration Settings tab is an important section where We define the settings to block access to removable storage or USB devices via Intune.
Scroll down and look for setting name “Block USB Devices “. Set block removable storage to Yes and the policy will now block the use of removable storage on the devices.
We may select scope tags on the Scope tags section. If not just click Next.
On the Assignments tab, click Add Groups and select the groups to which We want to deploy the policy. The devices that are part of the group will have the removable storage blocked. Click Next.
Finally on the Review + Create tab, review the settings and click Create.
A notification should appear confirming that profile has been created successfully. This completes the steps to block removable storage or block USB drive access using Intune.
After the policy applies successfully on the devices, when a user connects removable storage device to the computer, here is what user will see. Location is not available. The drive letter is not accessible. Access is denied.