How to Block USB Device Access with Exceptions using Microsoft Intune

Microsoft Intune includes Endpoint security policies which you can use to secure your device and mitigate the risks. The Endpoint security blade list all the tools available through Endpoint Manager that you will use to keep devices secure. In this blog post, we will discuss how to block USB device access using Microsoft Intune Device Control settings. We will also discuss how to manage exceptions so user’s with genuine business need can still access USB media’s.

Create Azure AD Groups

We will create two Azure Active Directory (AAD) group to block USB devices access and allow exception to devices when user having genuine business need.

  • All Windows 10/11 Devices: We will use this group to deploy the USB Device Control policy on all Windows 10/11 devices.
  • USB Device Restrictions – Exception : We will use this group to provide temporary or permanent exception to user by adding their devices to AD group.

Create both groups from Endpoint Manager admin center | Groups blade.

Group 1 :

Group Type: Security

Name: All Windows 10/11 Devices

Membership Type: Dynamic Devices

Endpoint Manager | Group

Dynamic membership rule:

(device.deviceOSType -contains "Windows") and (device.deviceOSVersion -startsWith "10.0")

Group 2:

Create second Group USB Device Restrictions – Exception with the details in below screenshot. We are not adding any members in this group as of now.

Group Type: Security

Group Name: USB Device Restriction – Exceptions

Membership Type: Assigned

Create Device Control Policy to Block USB Device Access

We will now create Device control policy to deploy settings on Windows 10 / 11 devices. The device control policy will block USB device access once it’s applied on a device.

To create a Device control policy, Go to Microsoft Endpoint Manager admin center and select Endpoint security | Attack Surface reduction | Create policy

Endpoint security | Attack surface reduction

Select the following details in Create a profile pane click on Create.

Platform: Windows and later

Profile: Device control

Endpoint security | Device control profile

Endpoint security | Device control profile | USB restriction

In the Configuration settings tab, set Block removable storage setting to Yes and click on Next

Endpoint security | Device control profile | Block USB Device Access

Apply the scope tags in next screen if applicable, else click on Next to got to Assignments tab.

Add All Windows 10/11 Devices AAD group in Included groups section.

Add USB Device Restriction – Exception AAD group in excluded groups section.

Click on Next.

Endpoint security | Device control profile | USB restriction

In the Review + create tab, review the settings and click on Create to complete profile creation process.

Endpoint security | Device control profile | USB restriction

You can validate profile from Endpoint security | Attack surface reduction blade.

Endpoint security | Device control profile | Validate

Force policy sync on your test device and check the policy Assignment Status after sometime. The policy has been successfully applied now.

Endpoint security | Device control profile | Validate

You can also validate per-setting status if you have added multiple settings in same policy.

Endpoint security | Device control profile | Per-setting status

End User Experience

Once policy successfully applied, a user would not be able to access the USB media. The following error will be shown when user try to access USB media.

Endpoint security | Device control profile | End User Experience

End User Experience After Applying Exception

To exclude a device from USB block list, the user device need to be added in AAD group which we have create in beginning.

Go to Endpoint Manager | Groups and select USB Device Restriction – Exceptions Group and select Members.

Click on Add members to add the device in Azure AD Group.

Endpoint Manager | Group | Membership

Once policy refreshed on client, the user can access USB device. We have added the same device in exception where USB was blocked.

Manage exceptions through Azure AD Group

As an MEM | Intune administrator, your responsibility should be limited to the policy implementation. Since the exception management for this policy will be an ongoing activity, this need to carefully planned and handed over to lower support tiers or location leads.

Here is a simple plan which you can use to delegate the group membership. A global AAD group will be used for policy exclusion and a child group for each site ( This can be departments, business units etc. based on your requirements) will be added in global group membership. The child group owner will be from local site who can validate user exception request and add the user in their site specific exceptions group.

See the illustration in below screenshot.

Endpoint Security | USB Exception Management Plan

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

2 thoughts on “How to Block USB Device Access with Exceptions using Microsoft Intune”

    1. Thanks for pointing to this. I see the settings to block USB storage devices are no longer available in Endpoint security / Attack Surface protection. Will check and update soon.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top