There is always a security risk when USB storage drive access is allowed on corporate devices. Users can download sensitive data on External drives, which could affect the organization’s reputation if misused.
Blocking removable storage devices on company-owned devices is essential for preventing potential security breaches. By doing so, you can ensure that confidential information is not saved or copied to personal storage devices, thereby safeguarding sensitive data and maintaining a secure working environment.
In this blog post, we will explore two methods to block USB drives using the Intune admin center. Let’s check these methods.
Table of Contents
Method 1 – Using Attack Surface Reduction Policy
Let’s check the steps to block USB drive access by creating an Attack Surface Reduction (ASR) policy.
- Sign in to Intune admin center.
- Click on Endpoint security > Attack surface reduction.
- Click on + Create Policy
- Platform: Windows 10 and later
- Profile: Device Control
Basics Tab
Provide a Name and Description of the Policy and Click on Next.
Configuration settings Tab
Scroll down to find a setting named “Removable Disk Deny Write Access” under Storage. Use the drop-down and select Disabled. Click on Next.
Scope tags
Click on Next.
Assignments
Assign this profile to an Entra security group containing users or devices. If you add users to the group, then the profile will get applied even if a user changes their device. But if you want to apply this profile to specific devices only then target this profile to an Entra security group containing devices only.
Review + create
Review the deployment Summary and click on Create button.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then select “Configuration profiles“
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.
End-user Experience
Once the policy has been successfully applied, users will encounter an “Access is denied” message when attempting to access a USB drive. This restriction is a result of the applied policy, which prevents the use of removable storage.
Method 2 – Using Intune Device Remediations
You can leverage Intune Device Remediations to block USB drives. For a detailed, step-by-step guide, please refer to the link: Block USB Drives access on Windows using Intune remediations.
