Personnal USB drives connected to work computers is a bit risky. Anyone could copy important stuff off the computer and onto a thumb drive. If that gets into the wrong hands, it’s not going to look good for the company. It’s pretty important to put a stop to using these portable drives on work devices. That way, all the secret and important info stays where it should, keeping the workplace safe and sound. In this blog, we’ll describe how to create an Attack Surface Reduction Policy to block USB drives using Intune.
The easiest way to Intune block USB drive, is to use an ASR policy. Let’s check the steps to block USB drive access by creating an Attack Surface Reduction (ASR) policy.
On the next Intune screen select the following options :
This is where you select the right policy to block you usb drive with Intune. Under the hood, it will triger this CSP Policy : ./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
Assign your profile to an Entra security group containing users or devices. For our test, i’m adding a test group.
On your test device launch a manual sync on the device or use the Intune portal to retrive the new policy. This process may take a while to aply. Be patient.
To monitor the deployment progress of your new USB block Device configuration profile :
Once the policy has been successfully applied on the device, users will encounter an Access is denied message when attempting to access a USB drive. This restriction is a result of the applied policy, which prevents the use of removable storage.
Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.
Thank you for subscribing to our newsletter or requesting a quote. You will receive our next month's newsletter. If you have requested a quote, we will get in touch with you as soon as possible.
Something went wrong!
Thank for your reply!