How to Control Access to Format and Eject Removable Media in Windows using Intune Policy

Let’s discuss how to Control Access to Format and Eject Removable Media in Windows using Intune Policy. The “Devices: Allowed to format and eject removable media” policy determines who can format or safely remove removable NTFS drives, such as USB flash drives or external hard disks.

It helps control how users use removable media and ensures that only trusted individuals can make changes that could affect the data or device. When this policy is configured, the admins can choose between two options such as Administrators or “Administrators and Interactive Users.”

If only Administrators are allowed, then only users with admin rights can format or remove removable NTFS drives, which helps prevent data loss or mistakes. If Administrators and Interactive Users are allowed, then regular users who log in to the computer can also manage removable drives without needing admin access.

If you don’t set this policy, Windows automatically allows only Administrators to format or eject removable drives. This default rule helps protect important data by stopping regular users from accidentally deleting or changing files on removable devices. It also helps prevent viruses or unauthorized users from using removable drives to harm the computer

Patch My PC

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy

In companies, IT admins can use tools like Intune, Group Policy, or other MDM solutions to set this policy on all computers. This makes sure every device follows the same rules for using removable drives. Sign in to the Intune Admin Center portal https://intune.microsoft.com/.

  • Select Devices > Windows > Configuration profiles > Create a profile.
PlatformProfile Type
Windows 10 and laterSettings Catalog
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Table 1
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.1
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.1

Basic Details of the Devices Allowed To Format And Eject Removable Media Policy

Organizations that handle confidential or sensitive data usually keep the default setting only Administrators can format or eject drives to stay secure. But in places where users need more flexibility, like media teams or field workers, admins might allow regular users to manage removable drives for convenience.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.2
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.2

Settings Catalog – Configure Device Policies Easily

The Settings Catalog allows you to choose and configure specific settings for your devices. By clicking +Add settings, you can browse or search through the catalog to find the exact policies you want to set up. This makes it easier for administrators to manage and apply the right configurations across all devices from one place.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.3
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.3

Local Policy Security Options

In the picker window, simply search for Local Policies Security Options to view all related settings. From the list that appears (which includes over 50 options), select Accounts: Devices Allowed To Format And Eject Removable Media to configure this specific policy.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.4
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.4

Default Settings of Devices Allowed To Format And Eject Removable Media

The Devices Allowed To Format And Eject Removable Media policy uses the following properties includes
Format: chr (string), Access Type: Add, Delete, Get, Replace, Default Value: 0. The policy accepts a character string as input and supports multiple access actions like adding, deleting, retrieving, or replacing values.

  • By default, its value is set to 0, which allows only administrators to format or eject removable NTFS media unless modified.
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.5
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.5

Non-Administrator Users Permission to Manage Removable NTFS Media

If you are setting the value to 1, you are giving non-administrator users permission to manage removable NTFS media, making it easier for them to format or safely remove devices without needing admin rights.

  • When the value is 0 (default) – Only Administrators can format or eject removable drives.
  • When the value is 1 – Both Administrators and Interactive Users (regular users who log on locally) can format and eject removable drives.
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.6
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.6

Scope Tags Settings

The policy Devices: Allowed to format and eject removable media can be found under the path: Windows Settings > Security Settings > Local Policies > Security Options. This location in Windows Security Settings is where administrators can view or modify the policy to control which users are allowed to format or safely remove removable NTFS drives.

  • Here, I will use the default scope tag for this policy.
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.7
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.7

Assignment Settings of the Policy

In the default settings of the policy, a company handling sensitive client data keeps it set to Administrators only. This ensures that regular employees cannot accidentally format the USB drives containing confidential documents. It helps the company to maintain data security.

  • Select the Assignment group by clicking the Add groups option under Included groups
  • Here we select 2 Device groups that is shown in the below screenshot
  • Click Next to proceed the policy settings
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.8
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.8

Final Step when you are Creating or Configuring a Policy

Here you can see a summary of all the settings you have configured for the policy. This includes the policy name, description, platform, and all configuration options. It helps you to double-check that everything is correct before deployment.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.9
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.9

Policy Created Successfully Notification

The policy “Devices Allowed To Format And Eject Removable Media” has been created successfully. It is now ready to be assigned to devices according to your configuration. With this policy in place, you can control which users are allowed to format or safely remove NTFS drives, helping maintain data security and proper device management.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.10
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.10

Device and User Check in Status

The check-in status for the “Devices Allowed To Format And Eject Removable Media” policy shows that it has been successfully applied to 2 devices. There are currently 0 errors, 0 conflicts, and 0 devices where the policy is not applicable.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.11
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.11

MDM PolicyManager – Devices Allowed To Format And Eject Removable Media

The MDM PolicyManager log shows that the policy Devices_AllowedToFormatAndEjectRemovableMedia was set successfully. The policy is part of the Local Policies Security Options area and was applied with a value of 1, allowing both Administrators and Interactive Users to format and eject removable NTFS drives.

To confirm this, you can check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy string, Policy:
(Devices_AllowedToFormatAndEjectRemovableMedia), Area: (LocalPoliciesSecurityOptions),
EnrollmentID requesting merqe: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), String: (1), Enrollment Type: (0x6), Scope: (0x0).

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.12
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.12

Windows CSP Details

The policy is applicable to Windows 10, version 1709 [10.0.16299] and later, ensuring compatibility with modern Windows devices while controlling who can format or safely remove removable NTFS drives. It is supported on the following editions of Windows: Pro, Enterprise, Education, IoT Enterprise, and IoT Enterprise LTSC.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.13
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.13

How to Remove the Assigned Group from the Policy

Removing an assigned group from a policy allows administrators to stop the policy from applying to that group’s devices or users. This can be useful when the group no longer requires the restrictions or settings defined in the policy.

Read more How to Remove Assigned Group from Energy Saver Battery Threshold Policy in Intune Settings Catalog.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.14
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.14

How to Delete the Devices Allowed To Format And Eject Removable Media Policy

Deleting a policy is important because it offers several advantages for administrators and organisations. It removes unnecessary restrictions from devices or users, preventing outdated or irrelevant settings from being enforced.

Read more – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

How to Control Access to Format and Eject Removable Media in Windows using Intune Policy - Fig.15
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy – Fig.15

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment