Block removeable usb storage via Intune

N-M 191 Reputation points
2023-01-09T19:54:31.313+00:00

Hello,

I searched a lot and find a policy here Endpoint security >> Attack surface reduction>> device control.

Previously there was a option to block usb storage like follwoing picture. Unfortunately, there isn't this option anymore.
277582-1.jpg

So, how can I block just removeable usb storage?
There are some options but each of them has a specific problem.
for example:
Prevent installation of removeable devices:
This option will allow laptop to recognize usb storage that has connected before to the laptop. It just prevent new usb storage to connect.
277557-2.jpg

It would be great if you could help me in this regard
Thank you@

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,249 questions
{count} votes

Accepted answer
  1. Jordan Millama 1,361 Reputation points
    2023-01-09T21:56:54.817+00:00

    It appears the way this is accomplished has changed.

    1. In Endpoint Manager go to Endpoint security > Attack surface reduction > Create Policy
    2. Platform: Windows 10 and later, Profile: Device control, then Create
    3. Give it a name and description
    4. Scroll down and locate the Storage section and enable Removable Disk Deny Write Access
    5. Use Scope tags or assign to required groups/users

    277622-image.png


    Please accept as an answer if this was helpful.

    3 people found this answer helpful.

8 additional answers

Sort by: Most helpful
  1. Alex Vieira 0 Reputation points
    2023-09-17T18:57:16.9133333+00:00

    Try this solution, for me worked well for selected users

    Devices -> Configuration profiles -> Create profile -> Settings catalog -> Removable Storage Access

    bloqueio-storage-usb

    If not work reboot the machine

    0 comments No comments

  2. Jeroen Vijfschaft 0 Reputation points
    2023-10-11T14:53:57.9233333+00:00

    You should check Endpoint Security > Security Baselines > Microsoft Defender for Endpoint Baseline.

    Here you can configure removable drive restrictions

    0 comments No comments

  3. Prajwal Desai [MVP] 101 Reputation points
    2023-11-22T10:48:53.4233333+00:00

    That's correct. You an use an ASR policy in Intune to block USB drives access - https://www.prajwaldesai.com/block-usb-drives-using-intune/

    0 comments No comments

  4. Brad Peters 0 Reputation points
    2024-05-08T16:26:46.54+00:00

    Simplest path I have found to the setting:

    Intune admin portal | Devices | Configuration | Create | New Policy | Platform: Windows 10 and later | Profile type: Templates | Template name: Device restrictions

    Give your policy a name and description and click the next button

    Expand General and block Removable storage.

    Finish configuring your policy with assignments and scope tags (if using them) and test

    User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.