Block USB Device Access using Intune

In this post, we will see how to Block USB Device Access in Microsoft Intune, aka Endpoint Manager. As an organization, It’s important to understand all security aspects to protect and be safe. You can block access to USB storage to restrict copying the data to USB devices and control the use of unauthorized USB devices in your corporate network.

With the settings for device control, you can configure devices for a layered approach to secure removable media. Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices.

You can check more Windows 10 Security Enhancements and Security Survey that will give you more details on what the industry is thinking about modern security threats and how they plan to handle them for their environment.

Patch My PC

Block USB Device Access using Intune

Let’s follow the below steps to block USB Device Access using Intune

Block USB Device Access using Intune 1

In Create Profile, Select Platform, Windows 10 and later and Profile, Device control. Click on Create button. 

Intune Attack surface reduction – Select Platform, Profile type
Intune Attack surface reduction – Select Platform, Profile type

On the Basics tab, enter a descriptive name, such as USB Device Restriction – Windows 10. Optionally, enter a Description for the policy, then select Next.

1E Nomad
Create Device Control Policy - Block USB Drive Access
Create Device Control Policy – Block USB Drive Access

On the Configuration settings, Scroll down the lists of available device control settings and Configure Block removable storage to Yes. This policy will block the use of removable storage on the device. And Click Next.

Configure Policy - Block USB Device Access using Intune
Configure Policy – Block USB Device Access using Intune

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

Under Assignments, In Included groups, select Add groups and then choose Select groups to include one or more groups. Select Next to continue.

Assignments – Select groups to include | Block USB Drive Access using Intune
Assignments – Select groups to include | Block USB Drive Access using Intune

In Review + create, review your settings. When you select Create, your changes are saved, and the policy is assigned.

Review + Create – Policy
Review + Create – Policy

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Profile created successfully. The policy is also shown in the list as shown below.

Your groups will receive your policy settings when the devices check-in with the Intune service.

Policy “Block USB Device Access” created successfully
Policy “Block USB Device Access” created successfully

End User Experience

Once the policy applies to the device, users will not access removable storage devices connected with the system.

 Block USB Device Access - Intune
Block USB Device Access – Intune

Author

About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

4 thoughts on “Block USB Device Access using Intune”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.