This article covers the steps to block removable storage using Intune. You can restrict or block access to USB drives using Device Control profile in Intune (Endpoint Manager).
By creating the Endpoint Security Device Control Profile in Intune, you can define the settings to block the USB device access.
Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats.
Microsoft provides an alternate way to restrict access to USB devices by using Administrative Templates in Intune. However with an Intune device control profile, it is much easier to block removable storage.
If you are not using Intune or any MDM solution, you can look to disable USB devices using group policy.
Why Block USB drives in Intune?
For any organization security comes first. USB drives are one of the means through which a malware can easily enter the computer.
The first time you connect a device that plugs into a USB port, Windows automatically identifies the device and installs a driver for that device.
To prevent malware infections or data loss in your organization, you may want to block certain kinds of USB devices using Intune.
Some common examples of removable storage that you should block include a USB flash drive, camera etc.
On the other hand, you want to allow access to other kinds of USB devices, such as a keyboard or mouse. Hence, you must decide that do you want to block USB device access for all users or a subset of users.
Steps to block Removable Storage using Intune
Let’s create an Endpoint Security Device Control Profile to block removable storage using Intune. Sign in to the Microsoft Endpoint Manager admin center. Select Endpoint Security > Attack Surface Reduction > Create Policy.
On the Create a profile window, select the Platform as Windows 10 and later and Profile as Device Control. Click Create.
Note – Microsoft recommends a layered approach to securing removable media. Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices.
On the Basic tab, specify the name of the profile as block removable storage. You can also add a description that helps other admins understand what this profile is about. Click Next.
The Configuration Settings tab is an important section where we define the settings to block access to removable storage or USB devices via Intune.
Scroll down and look for setting name “Block removable storage“. Set block removable storage to Yes and the policy will now block the use of removable storage on the devices.
You may select scope tags on the Scope tags section. If not just click Next.
On the Assignments tab, click Add Groups and select the groups to which you want to deploy the policy. The devices that are part of the group will have the removable storage blocked. Click Next.
Finally on the Review + Create tab, review the settings and click Create.
A notification should appear confirming that profile has been created successfully. This completes the steps to block removable storage or block USB drive access using Intune.
After the policy applies successfully on the devices, when a user connects removable storage device to the computer, here is what user will see. Location is not available. The drive letter is not accessible. Access is denied.