Block USB Drive using Intune

Personnal USB drives connected to work computers is a bit risky. Anyone could copy important stuff off the computer and onto a thumb drive. If that gets into the wrong hands, it’s not going to look good for the company. It’s pretty important to put a stop to using these portable drives on work devices. That way, all the secret and important info stays where it should, keeping the workplace safe and sound. In this blog, we’ll describe how to create an Attack Surface Reduction Policy to block USB drives using Intune.

Attack Surface Reduction Policy

The easiest way to Intune block USB drive, is to use an ASR policy. Let’s check the steps to block USB drive access by creating an Attack Surface Reduction (ASR) policy.

• Sign in to Intune portal
• Click on Endpoint security / Attack surface reduction.
• Click on Create Policy

On the next Intune screen select the following options :

• Platform: Windows 10, Windows 11, and Windows Server
• Profile: Device Control
• Click Create at the bottom

• On the Basics tab, enter Name and Description, Click on Next.

Configuration settings Tab

This is where you select the right policy to block you usb drive with Intune. Under the hood, it will triger this CSP Policy : ./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess

• Scroll down to Storage and select disabled under Removable Disk Deny Write Access
• Click on Next

• On the Scope tags screen, click Next

Assignments

Assign your profile to an Entra security group containing users or devices. For our test, i’m adding a test group.

• Review the deployment Summary and click on Create button when all is configured as you wish

Sync Intune Policies

On your test device launch a manual sync on the device or use the Intune portal to retrive the new policy. This process may take a while to aply. Be patient.

Intune block USB drive – Monitoring Deployment Progress

To monitor the deployment progress of your new USB block Device configuration profile :

• Click on Endpoint security / Attack surface reduction
• Choose your Device Configuration profile
• Click on Device assignment status
• You see stats on Success, Failure, Conflict, Not Applicable, and In Progress status.
• Click on “View report” to access more detailed information

End-user Experience

Once the policy has been successfully applied on the device, users will encounter an Access is denied message when attempting to access a USB drive. This restriction is a result of the applied policy, which prevents the use of removable storage.