In this article, I’ll walk you through how to allow USB Access for Specific Devices Based on VID, PID and Serial Number using Microsoft Intune. Allowing USB access for specific devices based on Vendor ID (VID), Product ID (PID), and Serial Number using Intune requires a combination of configuration profiles and custom policies to enforce device control while maintaining granular exceptions.
This method is commonly used in environments with strict data protection policies, where USB ports are blocked by default, but exceptions need to be made for approved devices. By using these identifiers, IT admins can precisely allow only authorized USB devices while denying access to all others. To implement this, you can create a custom Intune configuration profile using the settings catalog.
First, block all USB storage devices globally using the “Removable Disks: Deny read/write access” Group Policy setting or a corresponding Intune CSP. Then, define allow rules using the Windows Defender Application Control (WDAC) or Attack Surface Reduction (ASR) policies, where you specify the approved USB device VID, PID, and Serial Number. These values can typically be obtained from Device Manager or using PowerShell commands.
Additionally, deploying a PowerShell script via Intune can automate the creation of a WDAC supplemental policy or registry-based allow list on target devices. It’s crucial to test the policy on pilot machines before wide-scale deployment to avoid accidental data loss or access denial. Regularly reviewing connected USB device inventory and updating allowed device identifiers helps maintain security and compliance in dynamic enterprise environments.
Table of Contents
PowerShell Commands to Find VID/PID/SN
Please refer to the table below. To conduct the test, connect the USB device to a machine and execute the following PowerShell commands.
| Use | PowerShell Command |
|---|---|
| Identify the Device Information (VID, PID, SN) | Get-PnpDevice -Class USB | Get-PnpDeviceProperty | Where-Object {$_.KeyName -like “DeviceDesc”} |
| To find VID/PID/SN | Get-WmiObject Win32_USBHub | Select-Object Name, DeviceID |
- Fix Issue on USB Connected Dual-Mode Printers on Windows Client
- Disable Removable Storage Write Access Using Intune
- Most Restrictive Elevation Behaviour with Intune Endpoint Privilege Management
- How to Deploy Trusted Root Certificate using Intune Configuration Policy
Create a Configuration Policy to Allow USB Access for Specific Devices in Intune
To Allow USB Access for Specific Devices using Microsoft Intune, follow these steps. First, sign in to the Microsoft Intune Admin Center with your administrator credentials.
- Navigate to Devices > Windows > Manage devices > Configuration
- Click on +Create > +New Policy
Next, we will create a new configuration profile from scratch. First, we need to provide the options mentioned below. The following bullet points provide more details.
- Platform: Windows 10 and later
- Profile type: Settings catalog
In the Basics details pane, you can name the configuration policy “Allow USB Access for Specific Devices Based on VID, PID, and Serial Number” It’s also important to provide a brief description of the policy’s purpose. For example, you could write: “This policy is designed to allow USB access only for specific devices based on their VID, PID, and Serial Number using the Intune Configuration Profile” After that, click Next.
We can now add the necessary settings to the Configuration Settings pane. To do this, click on +Add settings in the bottom left corner of the page.
Search for “Device Installation Restrictions” as your keyword. This will help us find the appropriate policy based on your current needs. Next, navigate to the category labeled Administrative Templates\System\Device Installation Restrictions. Click on it, then check the option “Allow installation of devices that match any of these device IDs” Finally, close the Settings picker window.
On the current page, set “Allow installation of devices that match any of these device IDs” to Enabled. Add the allowed device ID by copying and pasting the PowerShell command output USB\VID_13D3&PID_5463\0X0001, then click Next.
NOTE! : PowerShell commands and their output.
PS C:\WINDOWS\system32> Get-PnpDevice -Class USB | Get-PnpDeviceProperty | Where-Object {$_.KeyName -like "*DeviceDesc*"}
InstanceId KeyName Type Data
---------- ------- ---- ----
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String Jabra Evolve2 40 SE
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String USB Receiver
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String Plantronics Blackwire 3220 Series
USB4\RO... DEVPKEY_Device_DeviceDesc String USB4 Root Router
USB\ROO... DEVPKEY_Device_DeviceDesc String USB Root Hub (USB 3.0)
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String USB Receiver
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String USB2.0 HD UVC WebCam
USB4\RO... DEVPKEY_Device_DeviceDesc String USB4 Root Router
USB\ROO... DEVPKEY_Device_DeviceDesc String USB Root Hub (USB 3.0)
USB\VID... DEVPKEY_Device_DeviceDesc String USB Composite Device
USB\VID... DEVPKEY_Device_BusReportedDeviceDesc String Plantronics Blackwire 3220 Series
PCI\VEN... DEVPKEY_Device_DeviceDesc String USB xHCI Compliant Host Controller
PCI\VEN... DEVPKEY_Device_BusReportedDeviceDesc String Universal Serial Bus (USB) Controller
PCI\VEN... DEVPKEY_Device_DeviceDesc String USB xHCI Compliant Host Controller
PCI\VEN... DEVPKEY_Device_BusReportedDeviceDesc String Universal Serial Bus (USB) Controller
PCI\VEN... DEVPKEY_Device_DeviceDesc String USB4(TM) Host Router (Microsoft)
PCI\VEN... DEVPKEY_Device_DeviceDesc String USB4(TM) Host Router (Microsoft)
PCI\VEN... DEVPKEY_Device_BusReportedDeviceDesc String Universal Serial Bus (USB) Controller
PCI\VEN... DEVPKEY_Device_BusReportedDeviceDesc String Universal Serial Bus (USB) Controller
PS C:\WINDOWS\system32> Get-WmiObject Win32_USBHub | Select-Object Name, DeviceID
Name DeviceID
---- --------
USB Root Hub (USB 3.0) USB\ROOT_HUB30\4&21BDAB31&0&0
USB Composite Device USB\VID_13D3&PID_5463\0X0001
USB4 Root Router (1.0) USB4\ROOT_DEVICE_ROUTER&VID_8086&PID_463E\4&8469D8&0&0
USB Composite Device USB\VID_046D&PID_C534\5&22EB828A&0&1
USB4 Root Router (1.0) USB4\ROOT_DEVICE_ROUTER&VID_8086&PID_466D\4&34C82E01&0&0
USB Root Hub (USB 3.0) USB\ROOT_HUB30\4&11BF4672&0&0
On the next page, leave the Scope tags as Default. If your tenant has custom scope tags, you can select them based on your policy needs, then click on Next
In this section, I will assign the configuration policy to the HTMD – Test Computers device group. To do this, click on Add group and select the desired device group under the Included groups option. In this example, I am not using any filters, and the Excluded groups option has been left empty.
On the Review + create page, review all settings for the Allow USB Access for Specific Devices policy. Once confirmed, select Create to deploy the policy.
- How to Configure EPM Rule Explicitly Deny Elevation with Microsoft Intune
- How to Enable Startup Boost in Edge Browser with Intune
- Turn On or Off USB Connection Notifications in Windows 11
Monitor the Allow USB Access for Specific Devices Policy Deployment
The configuration policy has been deployed to the Microsoft Entra ID Device group for HTMD – Test Computers. Once the device is synchronized, the policy will take effect immediately. To monitor the status of the policy deployment, follow the steps below in the Intune Portal.
- Navigate to Devices > Windows > Configuration > Search for the “Allow USB Access for Specific Devices based on VID, PID and Serial Number” configuration policy.
- Under the Device and user check-in status, you can see the policy’s deployment status
Analysis of Configuration Event Logs
To verify that the Allow USB Access for Specific Devices policy is functioning correctly, start by logging into the device that the policy affects. Once logged in, you can check the status of the policy using the Intune Event Logs. To do this, open the Event Viewer on the device.
- Navigate to Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider – Admin
Filter the latest logs with Event ID 814 to easily locate the successful log. The screenshot below indicates that the policy was successfully applied to the system, confirming that our policy has worked as intended!
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. Writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out my profile on LinkedIn.