This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi folks
Is it currently possible within Intune via a Configuration Profile to achieve the following:
Not sure if this can be achieved natively with Windows 10 and Intune. If anyone can advise whether this can achieved or not, that would be great. My suspicion is that it would require a 3rd party product.
Environment:
Windows 10 Enteprise 1909 with M365 E5 license
Thanks
Rob
First, always keep in mind that Intune doesn't define or dictate what can or cannot be done in Windows. Intune (for the most part) is simply deploying a policy and it's up to Windows to implement and act upon that policy.
For your question, the Removable Storage Access policies (available in group policy) enable you to configure this in Windows. These policies from what I can see are not available as Windows 10 CSPs at this though and thus aren't configurable directly via the Intune UI.
You could configure these policies manually though using PowerShell and send them to your systems that way.
Sorry for the delay responding. Yes, I applied the configuration via PowerShell using the GUIDS for the device types I wanted to restrict. This has worked fine.
Thanks Jason.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hi Bob,
Research and find a setting in Administrative Template device Configuration profile named "Deny write access to removable drives not protected by BitLocker"
may be helpful. After setting this, for removable data drives that are not BitLocker-protected, it will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
Hope it can help.
Hi Crystal
Thanks for the suggestion but unforunately, the above wouldn't be a solution as we don't want to allow write to any device, in any form, even if encrypted. I managed to push a simply PowerShell script using Device GUIDs to control access as per Jason's suggestion above. Thanks anyway for the suggestion.
All the best.
Rob
Hi Bob,
Thanks for the reply. I am glad to hear that PowerShell script can help us. if there's anything else we can help in the future, feel free to post in Q&A.
Thanks and have a nice day!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 12%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
what's the powershell script?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 19%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Thanks for including a link to the powershell scripts that appears to work.........
Yeah, some sort of general guidance Powershell script example would really help save our already frustrating world of tech, a little bit of time.
Thanks