Let’s discuss how to Control Access to Format and Eject Removable Media in Windows using Intune Policy. The “Devices: Allowed to format and eject removable media” policy determines who can format or safely remove removable NTFS drives, such as USB flash drives or external hard disks.
It helps control how users use removable media and ensures that only trusted individuals can make changes that could affect the data or device. When this policy is configured, the admins can choose between two options such as Administrators or “Administrators and Interactive Users.”
If only Administrators are allowed, then only users with admin rights can format or remove removable NTFS drives, which helps prevent data loss or mistakes. If Administrators and Interactive Users are allowed, then regular users who log in to the computer can also manage removable drives without needing admin access.
If you don’t set this policy, Windows automatically allows only Administrators to format or eject removable drives. This default rule helps protect important data by stopping regular users from accidentally deleting or changing files on removable devices. It also helps prevent viruses or unauthorized users from using removable drives to harm the computer
Table of Contents
How to Control Access to Format and Eject Removable Media in Windows using Intune Policy
In companies, IT admins can use tools like Intune, Group Policy, or other MDM solutions to set this policy on all computers. This makes sure every device follows the same rules for using removable drives. Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Devices > Windows > Configuration profiles > Create a profile.
Platform | Profile Type |
---|---|
Windows 10 and later | Settings Catalog |

- How Intune Inventory Helps to Monitor Logical Drives on Windows Devices
- Use CHKDSK Tool to Fix Windows Issues
- 6 Different way to Find File System of a Drive in Windows 11
Basic Details of the Devices Allowed To Format And Eject Removable Media Policy
Organizations that handle confidential or sensitive data usually keep the default setting only Administrators can format or eject drives to stay secure. But in places where users need more flexibility, like media teams or field workers, admins might allow regular users to manage removable drives for convenience.

Settings Catalog – Configure Device Policies Easily
The Settings Catalog allows you to choose and configure specific settings for your devices. By clicking +Add settings, you can browse or search through the catalog to find the exact policies you want to set up. This makes it easier for administrators to manage and apply the right configurations across all devices from one place.

Local Policy Security Options
In the picker window, simply search for Local Policies Security Options to view all related settings. From the list that appears (which includes over 50 options), select Accounts: Devices Allowed To Format And Eject Removable Media to configure this specific policy.

Default Settings of Devices Allowed To Format And Eject Removable Media
The Devices Allowed To Format And Eject Removable Media policy uses the following properties includes
Format: chr (string), Access Type: Add, Delete, Get, Replace, Default Value: 0. The policy accepts a character string as input and supports multiple access actions like adding, deleting, retrieving, or replacing values.
- By default, its value is set to 0, which allows only administrators to format or eject removable NTFS media unless modified.

Non-Administrator Users Permission to Manage Removable NTFS Media
If you are setting the value to 1, you are giving non-administrator users permission to manage removable NTFS media, making it easier for them to format or safely remove devices without needing admin rights.
- When the value is 0 (default) – Only Administrators can format or eject removable drives.
- When the value is 1 – Both Administrators and Interactive Users (regular users who log on locally) can format and eject removable drives.

- Different Methods for Deleting Files in Windows 11
- How to Check Drive Encryption Support in Windows 11
- Enable Disable Performance Mode for Dev Drive Protection in Windows 11
Scope Tags Settings
The policy Devices: Allowed to format and eject removable media can be found under the path: Windows Settings > Security Settings > Local Policies > Security Options. This location in Windows Security Settings is where administrators can view or modify the policy to control which users are allowed to format or safely remove removable NTFS drives.
- Here, I will use the default scope tag for this policy.

Assignment Settings of the Policy
In the default settings of the policy, a company handling sensitive client data keeps it set to Administrators only. This ensures that regular employees cannot accidentally format the USB drives containing confidential documents. It helps the company to maintain data security.
- Select the Assignment group by clicking the Add groups option under Included groups
- Here we select 2 Device groups that is shown in the below screenshot
- Click Next to proceed the policy settings

Final Step when you are Creating or Configuring a Policy
Here you can see a summary of all the settings you have configured for the policy. This includes the policy name, description, platform, and all configuration options. It helps you to double-check that everything is correct before deployment.

Policy Created Successfully Notification
The policy “Devices Allowed To Format And Eject Removable Media” has been created successfully. It is now ready to be assigned to devices according to your configuration. With this policy in place, you can control which users are allowed to format or safely remove NTFS drives, helping maintain data security and proper device management.

Device and User Check in Status
The check-in status for the “Devices Allowed To Format And Eject Removable Media” policy shows that it has been successfully applied to 2 devices. There are currently 0 errors, 0 conflicts, and 0 devices where the policy is not applicable.

MDM PolicyManager – Devices Allowed To Format And Eject Removable Media
The MDM PolicyManager log shows that the policy Devices_AllowedToFormatAndEjectRemovableMedia was set successfully. The policy is part of the Local Policies Security Options area and was applied with a value of 1, allowing both Administrators and Interactive Users to format and eject removable NTFS drives.
To confirm this, you can check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
MDM PolicyManager: Set policy string, Policy:
(Devices_AllowedToFormatAndEjectRemovableMedia), Area: (LocalPoliciesSecurityOptions),
EnrollmentID requesting merqe: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), String: (1), Enrollment Type: (0x6), Scope: (0x0).

Windows CSP Details
The policy is applicable to Windows 10, version 1709 [10.0.16299] and later, ensuring compatibility with modern Windows devices while controlling who can format or safely remove removable NTFS drives. It is supported on the following editions of Windows: Pro, Enterprise, Education, IoT Enterprise, and IoT Enterprise LTSC.

How to Remove the Assigned Group from the Policy
Removing an assigned group from a policy allows administrators to stop the policy from applying to that group’s devices or users. This can be useful when the group no longer requires the restrictions or settings defined in the policy.
Read more – How to Remove Assigned Group from Energy Saver Battery Threshold Policy in Intune Settings Catalog.

How to Delete the Devices Allowed To Format And Eject Removable Media Policy
Deleting a policy is important because it offers several advantages for administrators and organisations. It removes unnecessary restrictions from devices or users, preventing outdated or irrelevant settings from being enforced.
Read more – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.