Deny Write Access to USB Devices Using Intune Catalog Settings

The USB devices are a quick way to move the data across different devices. However it’s also pose a huge risk to corporate data security. Hence organization either block the usage of USB devices or deny write access.

In this blog post, we will discuss how to deny write access to USB devices using Microsoft Endpoint Manager / Intune. We will also discuss the approach to provide an exception whenever there is a genuine business needs.

Create Device Configuration Profile

This requirement can be achieved using Device Configuration Profile. Follow the below steps to deny write access to USB devices using Device configuration profile.

Sign in to the Microsoft Endpoint Manager admin center.

Select Devices > Configuration profiles > Create profile.

Enter the following properties:

  • Platform: Select Windows 10 and later.
  • Profile type: Select Setting Catalog (Preview) and click on Create

Intune | Device Configuration Profile

In Basics page, enter the following details:

  • Name: Enter a descriptive name for the profile. For example, enter Deny Write Access to USB Devices
  • Description: Enter a description for the profile.

Select Next.

Intune | Device Configuration Profile | Basics

In Configuration settings, click on Add settings

Search for removable storage access, click on Administrative Template\System\Removable Storage Access and then click on Select

Select below setting from the list

  • Removable Disk : Deny Write Access (User)

Enable Removable Disks Deny write access at left side and click on Next

Device Configuration Profile | Setting Picker

In Assignments page, add the group you want to assign this profile. If you want to have an exception process in place for this policy then add the group which you want to exclude.

Device Configuration Profile | Assignment

In Review & create page, review the settings and click on Create.

Device Configuration Profile | Review & create

The Device configuration profile is now created. You can see the assignment status by clicking on Device configuration profile name.

Device Configuration Profile | Status

End User Experience

Here are End user experience. When user will try to copy the files in USB media, the following message will be displayed.

USB Access Denied Prompt

If user click on Continue, they below message will be displayed.

USB Access Denied Prompt

Manage Exceptions:

As explained earlier, the exception can be managed through Azure AD Group. The Azure AD group which you have created to allow exception, need to be added in Assignment page > Exclude section. Once added, any device which are member of AAD group, will b excluded and USB write permission will not be denied on those devices.

You can define a process to add / remove devices from below group as per organization policy. A device should be removed once their exception period is over.

Intune | Deny Write Access to USB | Manage Exception

Related Posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top