How to Block USB Device Access with Exceptions using Microsoft Intune

Microsoft Intune includes Endpoint security policies that you can use to secure your device and mitigate the risks. The Endpoint security blade lists all the tools available through Endpoint Manager that you will use to keep devices secure. In this blog post, we will discuss how to block USB device access using Microsoft Intune Device Control settings. We will also discuss how to manage exceptions so users with genuine business needs can still access USB media.

Create Azure AD Groups

We will create two Azure Active Directory (AAD) groups to block USB device access and allow exceptions to devices when users have genuine business need.

  • All Windows 10/11 Devices: We will use this group to deploy the USB Device Control policy on all Windows 10/11 devices.
  • USB Device Restrictions – Exception: We will use this group to provide a temporary or permanent exception to user by adding their devices to AD group.

Create both groups from Endpoint Manager admin center | Groups blade.

Group 1 :

Group Type: Security

Name: All Windows 10/11 Devices

Membership Type: Dynamic Devices

Endpoint Manager | Group

Dynamic membership rule:

(device.deviceOSType -contains "Windows") and (device.deviceOSVersion -startsWith "10.0")

Group 2:

Create second Group USB Device Restrictions – Exception with the details in below screenshot. We are not adding any members in this group as of now.

Group Type: Security

Group Name: USB Device Restriction – Exceptions

Membership Type: Assigned

Create a Device Control Policy to Block USB Device Access

We will now create a Device control policy to deploy settings on Windows 10 / 11 devices. The device control policy will block USB device access once it’s applied to a device.

To create a Device control policy, Go to Microsoft Endpoint Manager admin center and select Endpoint security | Attack Surface reduction | Create policy

Endpoint security | Attack surface reduction

Select the following details in Create a profile pane and click on Create.

Platform: Windows and later

Profile: Device control

Endpoint security | Device control profile

Endpoint security | Device control profile | USB restriction

In the Configuration settings tab, set Block removable storage setting to Yes and click on Next

Endpoint security | Device control profile | Block USB Device Access

Apply the scope tags in next screen if applicable, else click on Next to got to Assignments tab.

Add All Windows 10/11 Devices AAD group in the Included groups section.

Add USB Device Restriction – Exception AAD group in the excluded groups section.

Click on Next.

Endpoint security | Device control profile | USB restriction

In the Review + create tab, review the settings and click on Create to complete profile creation process.

Endpoint security | Device control profile | USB restriction

You can validate profile from Endpoint security | Attack surface reduction blade.

Endpoint security | Device control profile | Validate

Force policy sync on your test device and check the policy Assignment Status after some time. The policy has been successfully applied now.

Endpoint security | Device control profile | Validate

You can also validate the per-setting status if you have added multiple settings in the same policy.

Endpoint security | Device control profile | Per-setting status

End User Experience

Once the policy successfully applied, a user would not be able to access the USB media. The following error will be shown when the user tries to access USB media.

Endpoint security | Device control profile | End User Experience

End User Experience After Applying Exception

To exclude a device from the USB block list, the user device needs to be added to the AAD group that we created in the beginning.

Go to Endpoint Manager | Groups and select USB Device Restriction – Exceptions Group and select Members.

Click on Add Members to add the device to Azure AD Group.

Endpoint Manager | Group | Membership

Once the policy is refreshed on the client, the user can access the USB device. We have added the same device in the exception where USB was blocked.

Manage exceptions through Azure AD Group

As an MEM | Intune administrator, your responsibility should be limited to the policy implementation. Since the exception management for this policy will be an ongoing activity, this needs to be carefully planned and handed over to lower support tiers or location leads.

Here is a simple plan which you can use to delegate the group membership. A global AAD group will be used for policy exclusion and a child group for each site ( This can be departments, business units, etc. based on your requirements) will be added to global group membership. The child group owner will be from the local site who can validate user exception requests and add the user to their site-specific exceptions group.

See the illustration in the below screenshot.

Endpoint Security | USB Exception Management Plan

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top