Hi, I'm trying to create a configuration profile with Intune that blocks USB Storage devices, but will allow specific ones based on the Device ID number or serial number. I've tried a number of links including the one below with no luck and the profile I create just blocks all the USB storage devices, even the one that I've specified not to block. Can anybody suggest something for me to try? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-worldwide#deploying-and-managing-policy-via-intune Thanks,

@Brian Liu Thanks for posting in our Q&A. For this issue, did you try to restrict USB devices and allow specific USB devices using Administrative Templates? Please refer to the following article: https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

So I did the below and still the USB storage device that I've allowed by Device ID is being blocked Enabled "Prevent installation of devices not described by other policy settings" Enabled "Allow installation of devices using drivers that match these device setup classes" Enabled "Allow installation of devices that match any of these Device IDs" I've also tried setting up using "Attack surface reduction" option in Endpoint Security Register all class GUID and hardware id and compliance id still facing issue

How to block USB Storage devices, but allow specific ones using Intune?

Accepted answer

Lu Dai-MSFT 28,421 Reputation points

2023-08-18T01:46:21.24+00:00

@Brian Liu Thanks for posting in our Q&A.

For this issue, did you try to restrict USB devices and allow specific USB devices using Administrative Templates? Please refer to the following article:

https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Brian Liu 140 Reputation points

2023-08-18T09:07:17.0566667+00:00

Morning Lu, Yes I tried that as well and it didn't work. Sorry should have been more clear on what I've tried.

So I did the below and still the USB storage device that I've allowed by Device ID is being blocked

Enabled "Prevent installation of devices not described by other policy settings"

Enabled "Allow installation of devices using drivers that match these device setup classes"

Enabled "Allow installation of devices that match any of these Device IDs"

I've also tried setting up using "Attack surface reduction" option in Endpoint Security

Thanks

Lu Dai-MSFT 28,421 Reputation points

2023-08-21T02:40:10.7866667+00:00

@Brian Liu Did you add all GUIDs in "Allow installation of devices using drivers that match these device setup classes"? In our official article, it shows some USB devices have multiple GUIDs, and it's common to miss some GUIDs in your policy settings.

https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb#a-device-is-blocked-but-should-be-allowed

If this issue still exists, it is suggested to create an online support ticket to get more help. Here is the support link:

https://learn.microsoft.com/en-us/mem/get-support

Brian Liu 140 Reputation points

2023-08-22T10:14:02.19+00:00

Hi Lu, It seems to work now, but not very well. After entering all the required setup classes, GUID and waiting for the profile to be successfully uploaded onto the device I would insert a device into the laptop and it would say that the device is blocked due to policy restriction.

I would then disconnect the usb device and restart the laptop, insert the usb device and it would work. Is there no way to not have to restart the laptop every time I want to install a new usb device that has been specified as allowed in my configuration profile?

Thanks,

Brian

Lu Dai-MSFT 28,421 Reputation points

2023-08-23T02:08:51.5566667+00:00

This is like this configuration profile has not been fully applied. When you restart the device, it is been applied fully. It is suggested to try to wait for some time or sync the device, and then check if it works without restarting the laptop.

Brian Liu 140 Reputation points

2023-08-29T15:17:51.53+00:00

Thanks Lu, I will give that a go.

Nivrahs Osas 0 Reputation points

2024-03-14T17:13:43.15+00:00

Hi Brian Liu,

Any feedbacks?

So have you used the below to create a "Configuration profile"

Enabled "Prevent installation of devices not described by other policy settings"

Enabled "Allow installation of devices using drivers that match these device setup classes"

Enabled "Allow installation of devices that match any of these Device IDs" or have you used "Attack surface reduction" option in Endpoint Security for it to work?

Mohamed Riswan 0 Reputation points

2024-11-05T06:22:17.53+00:00

HI Brian,

is it above policies is working fine ?

i try lots and get tiyad
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to block USB Storage devices, but allow specific ones using Intune?

1 additional answer

Your answer