Disable Removable Storage Write Access Using Intune

In this post, we will see how to disable removable storage write access using Intune, aka Endpoint Manager. If the device stores sensitive data, You can block write access to USB storage to restrict copying the data to USB devices and in your corporate network that can help you to prevent users from trying to make a copy of certain information, improving security.

As an organization, It’s important to understand all security aspects to protect and be safe to prevent malware infections or data loss in your organization, If you want to block USB devices access, you can follow the steps to Block USB Device Access using Intune

You can perform the basic Intune user policy deployment troubleshooting from the MEM admin center portal. More details of Intune Logs Event IDs IME Logs are available in the HTMD blog post

Disable Removable Storage Write Access Using Intune

This section will help you assign the policy to disable the ability to write access for Removable Storage using Intune setting catalog policies. You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.

Patch My PC

Let’s get started –

  • Sign in to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
  • Select Devices > Windows > Configuration profiles > Create profile
Intune Configuration Profiles – Create Profile
Intune Configuration Profiles – Create Profile
  • In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.
Intune Configuration Profiles – Select Platform, Profile type
Intune Configuration Profiles – Select Platform, Profile type

On the Basics tab, enter a descriptive name, such as Disable Removable Storage Write Access. Optionally, enter a Description for the policy, then select Next.

Create profile - Disable Removable Storage Write Access
Create profile – Disable Removable Storage Write Access

In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Prevent Changing Lock Screen Logon Image Using Intune MEM 1
Settings catalog – Click + Add settings

On the Settings Picker windows, Select Storage to see all the settings in this category. Select Removable Disk Deny Write Access below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker.

Adaptiva
Setting Picker - Select Storage
Setting Picker – Select Storage

The setting is shown and configured with a default value Disabled. Set Removable Disk Deny Write Access to Enabled. Click Next.

Removable Disk Deny Write Access – If you enable this policy setting, write access is denied to this removable storage class.

Set Removable Disk Deny Write Access - Enabled.
Set Removable Disk Deny Write Access – Enabled

Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.

Prevent Changing Lock Screen Logon Image Using Intune MEM 2
Assignments – Select groups to include

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Disable Removable Storage Write Access Using Intune
Review + Create | Disable Removable Storage Write Access Using Intune

A notification will appear automatically in the top right-hand corner with a message. Here you can see, Policy “Disable Removable Storage Write Access” created successfully. The policy is also shown in the Configuration profiles list.

Policy "Disable Removable Storage Write Access" created successfully
Policy “Disable Removable Storage Write Access” created successfully

Your groups will receive your profile settings when the devices check-in with the Intune service. Once the policy applies to the devices when you have blocked the ability to write data to removable storage. Once the USB removable storage device attaches to the device and try to create a folder or copy some data. You will be prompted with this error: Access Denied.

Event Log ID 813Disable Removable Storage Write Access

You can now look into the event logs to find out whether the policy is already deployed or not. Check out the Event Log ID 813 – Disable Removable Storage Write Access intune policy.

MDM PolicyManager: Set policy int, Policy: (AllowStorageCard), Area: (System), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (RemovableDiskDenyWriteAccess), Area: (Storage), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).

Disable Removable Storage Write Access Using Intune 1
Disable Removable Storage Write Access Using Intune 8

Registry Entries Disable Removable Storage Write Access Intune Policy

The following registry entry should be available to confirm whether disable removal storage write access Intune policy.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\Device\System

AllowStorageCard = 0

 Registry Entries Disable Removable Storage Write Access Intune Policy
Registry Entries Disable Removable Storage Write Access Intune Policy

Author

About Author -> Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10, Windows 11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

2 thoughts on “Disable Removable Storage Write Access Using Intune”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.