The USB devices are a quick way to move the data across different devices. However it’s also pose a huge risk to corporate data security. Hence organization either block the usage of USB devices or deny write access.
In this blog post, we will discuss how to deny write access to USB devices using Microsoft Endpoint Manager / Intune. We will also discuss the approach to provide an exception whenever there is a genuine business needs.
Create Device Configuration Profile
This requirement can be achieved using Device Configuration Profile. Follow the below steps to deny write access to USB devices using Device configuration profile.
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
- Platform: Select Windows 10 and later.
- Profile type: Select Setting Catalog (Preview) and click on Create

Intune | Device Configuration Profile
In Basics page, enter the following details:
- Name: Enter a descriptive name for the profile. For example, enter Deny Write Access to USB Devices
- Description: Enter a description for the profile.
Select Next.

Intune | Device Configuration Profile | Basics
In Configuration settings, click on Add settings
Search for removable storage access, click on Administrative Template\System\Removable Storage Access and then click on Select
Select below setting from the list
- Removable Disk : Deny Write Access (User)
Enable Removable Disks Deny write access at left side and click on Next

Device Configuration Profile | Setting Picker
In Assignments page, add the group you want to assign this profile. If you want to have an exception process in place for this policy then add the group which you want to exclude.

Device Configuration Profile | Assignment
In Review & create page, review the settings and click on Create.

Device Configuration Profile | Review & create
The Device configuration profile is now created. You can see the assignment status by clicking on Device configuration profile name.

End User Experience
Here are End user experience. When user will try to copy the files in USB media, the following message will be displayed.

If user click on Continue, they below message will be displayed.

Manage Exceptions:
As explained earlier, the exception can be managed through Azure AD Group. The Azure AD group which you have created to allow exception, need to be added in Assignment page > Exclude section. Once added, any device which are member of AAD group, will b excluded and USB write permission will not be denied on those devices.
You can define a process to add / remove devices from below group as per organization policy. A device should be removed once their exception period is over.

Related Posts:
Check OS Version Compliance with Device Compliance Policy & Notify User