The USB devices are a quick way to move the data across different devices. However it’s also pose a huge risk to corporate data security. Hence organization either block the usage of USB devices or deny write access.
In this blog post, we will discuss how to deny write access to USB devices using Microsoft Endpoint Manager / Intune. We will also discuss the approach to provide an exception whenever there is a genuine business needs.
Create Device Configuration Profile
This requirement can be achieved using Device Configuration Profile. Follow the below steps to deny write access to USB devices using Device configuration profile.
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
- Platform: Select Windows 10 and later.
- Profile type: Select Setting Catalog (Preview) and click on Create
Intune | Device Configuration Profile
In Basics page, enter the following details:
- Name: Enter a descriptive name for the profile. For example, enter Deny Write Access to USB Devices
- Description: Enter a description for the profile.
Intune | Device Configuration Profile | Basics
In Configuration settings, click on Add settings
Search for removable storage access, click on Administrative Template\System\Removable Storage Access and then click on Select
Select below setting from the list
- Removable Disk : Deny Write Access (User)
Enable Removable Disks Deny write access at left side and click on Next
Device Configuration Profile | Setting Picker
In Assignments page, add the group you want to assign this profile. If you want to have an exception process in place for this policy then add the group which you want to exclude.
Device Configuration Profile | Assignment
In Review & create page, review the settings and click on Create.
Device Configuration Profile | Review & create
The Device configuration profile is now created. You can see the assignment status by clicking on Device configuration profile name.
End User Experience
Here are End user experience. When user will try to copy the files in USB media, the following message will be displayed.
If user click on Continue, they below message will be displayed.
As explained earlier, the exception can be managed through Azure AD Group. The Azure AD group which you have created to allow exception, need to be added in Assignment page > Exclude section. Once added, any device which are member of AAD group, will b excluded and USB write permission will not be denied on those devices.
You can define a process to add / remove devices from below group as per organization policy. A device should be removed once their exception period is over.
- Block USB Device Access with Exceptions | Microsoft Intune
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows Local Administrator Password with Intune & Windows LAPS
- Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
- How to manage the local administrators group on Azure AD joined devices | Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.