Block USB Drives access on Windows using Intune remediations

There is always a security risk when USB storage drive access is allowed on corporate devices. Users can download sensitive data on External drives and, if misused, could affect the organization’s reputation.

Blocking the use of removable storage devices on company-owned devices is essential for preventing potential security breaches. By doing so, you can ensure that confidential information is not saved or copied to personal storage devices, thereby safeguarding sensitive data and maintaining a secure working environment.

I will use Intune device remediations to block USB drives on Windows 10 and Windows 11 devices. You can also block the USB drives by using the Attack surface reduction policy.

Block USB drives using Intune
The screenshot shows that access to the USB Drive is blocked. Access is denied.

Device remediations, or Intune proactive remediations, involve using PowerShell scripts to create registry keys and entries on target devices.

Remediations requires users of the devices to have one of the following licenses. If you are not meeting the license criteria then you can simply deploy Remediation_Script_Block_USB.ps1 script via Intune admin center > Devices > Scripts option. For more information, refer to the blog post: How to deploy a Powershell script using Intune.

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user
Source: Microsoft

I have created two PowerShell scripts, one for detecting a registry key/entry/value and one for Remediation, which will create necessary registry Items.

After several iterations and testing, I have successfully created a script that works well on both Windows 10 and Windows 11 devices. The script effectively blocks USB access by creating a registry key named “RemovableStorageDevices.”

Within this registry key, I create a specific registry entry called “Deny_All” and set its value to 1, thereby preventing access to removable storage devices.

I copied and modified the Powershell script from the blog post: Powershell to test If registry key and value exist and tested it on Windows 10 and Windows 11 devices.

Note

STEP 1 – Prepare Powershell scripts

  • Below Detection PowerShell script will check the existence of the RemovableStorageDevices registry key and also check if Deny_All with the value of 1 exists or not.
  • If any of the conditions are false, it will launch a Remediation script to create/update the necessary registry Items for blocking the USB drive.
  • Save the below Powershell code in the Detection_Script_Block_USB.ps1 file.

Detection_Script_Block_USB.ps1

<#
.DESCRIPTION
    This detection script will check if RemovableStorageDevices reg key
    is existing and Deny_All is set to 1 
    Author: Jatin Makhija
    Website: Copyright - Cloudinfra.net
    Version: 1.0.0
#>
#registry key path 
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
#Provide registry entry display name 
$valueName = "Deny_All"
#Provide registry entry expected value 
$requiredValue = "1"
$regkeyexists = Test-Path -Path $regPath
if ($regkeyexists) {
   #Check if registry entry named Status exists
   $regentryexists = Get-ItemProperty -Path $regpath -Name $valueName -ErrorAction SilentlyContinue
   if ($regentryexists) {
   #If registry entry named Deny_All exists, then fetch its value
    $currentValue = Get-ItemProperty -Path $regpath | Select-Object -ExpandProperty $valueName -ErrorAction SilentlyContinue
    #Match Status registry entry value with requried value
    if ($currentValue -eq $requiredvalue) {
            Write-Host "Reg value exists and matching the required value."
            Exit 0
        } else {
            Write-Host "Reg value exists, but does not match the required value."
            Write-Host "Current value: $currentValue"
            Write-Host "Required value: $requiredValue"
            Exit 1
        }
    } 
    else {
        Write-Host "Registry value does not exist."
        Exit 1
    }
} 
else {
    Write-Host "Registry key does not exist."
    Exit 1
}
  • Below, the Remediation PowerShell script will check the existence of the RemovableStorageDevices registry key and also check if Deny_All with the value of 1 exists or not. If any of the conditions are false, it will create or update the registry Item accordingly.

I have tested it multiple times and made sure that below remediation script will not Overwrite existing RemovableStorageDevices registry key. Please not below points about the script:

  • It will create a registry key RemovableStorageDevices if it does not exist
  • It will create a registry entry Deny_All with value 1, Only when its not exist
  • It will update registry entry Deny_All if its set to any value other than 1
  • Save the below Powershell code in the Remediation_Script_Block_USB.ps1 file.

Remediation_Script_Block_USB.ps1

<#
.DESCRIPTION
    This remediation script will check if RemovableStorageDevices reg key
    is existing and Deny_All is set to 1. If not then it will create it
    Author: Jatin Makhija
    Website: Copyright - cloudinfra.net
    Version: 1.0.0
#>
#Registry key path
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
#Provide registry entry display name 
$valueName = "Deny_All"
#Provide registry entry expected value 
$requiredValue = "1"
$type = "DWORD"
$regkeyexists = Test-Path -Path $regPath
If (!$regkeyexists)
{ 
try{
   New-Item -Path $regPath -Force | out-null
   Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
   Write-Output "Registry Key and value created"
   Exit 0
}
Catch {
    $errMsg = $_.Exception.Message
    Write-Error $errMsg
    Exit 1
}
}
Else 
{
   Write-Output "Reg Key exists. Checking for registry entry"
   $regentryexists = Get-ItemProperty -Path $regpath -Name $valueName -ErrorAction SilentlyContinue
   If ($regentryexists)
   {
    Write-Output "Reg Entry Exists. Checking for its value"
    $currentValue = Get-ItemProperty -Path $regpath | Select-Object -ExpandProperty $valueName -ErrorAction SilentlyContinue
    if ($currentValue -eq $requiredvalue)
    {
    Write-Output "Reg entry with value already Exists.No action required"
    Exit 0
   }
   Else {
       Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
       Exit 0
   }
   }
   Else {
    Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
    Exit 0
 }   
}

STEP 2 – Create a Script Package

To create a script package on Intune admin center, follow below steps:

Basics Tab

Provide the Name and Description of the package. Keep the rest of the settings as default. For Example:

  • Name: Block USB drive access on Windows
  • Description: This Device remediation will block USB drive access on target Windows 10 and Windows 11 devices
  • Publisher: Jatin Makhija (auto-filled)
  • Version: Auto-filled

Settings Tab

Browse to Detection and Remediation scripts and configure the settings below.

  • Detection script file – Browse to the Detection script Detection_Script_Block_USB.ps1
  • Remediation script file – Browse to Remediation script file Remediation_Script_Block_USB.ps1
  • Run this script using the logged-on credentials – No
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Detection and Remediation scripts for blocking USB drive access on Windows 10/11 devices using Intune
Detection and Remediation scripts for blocking USB drive access on Windows 10/11 devices using Intune

Assignments

Click on Add group to add an Entra ID group containing users or devices. You can also click on Add all users or Add all devices. Select the Schedule for running this Powershell script. You have three options: Once, hourly, or Daily.

Assign Intune remediation to block USB drive access to Windows 10/11 devices
Assign Intune remediation to block USB drive access to Windows 10/11 devices

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

STEP 3 – Monitor the script package

To Monitor the progress of a script package deployed via Intune, follow the below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices Remediations
  • Click on the Remediation script package you want to monitor. For example, Block USB drive access on Windows.
  • Go to the Overview to find the deployment status of the script package.
To monitor Intune device remediation, Go to Devices > Remediations > Click on USB Block remediation created
To monitor Intune device remediation, Go to Devices > Remediations > Click on USB Block remediation created

End-user Experience

After successfully completing the deployment, Registry Entries will be created according to the Remediation script. Please follow the below steps to check and confirm the deployment on a target device:

  • Press the Win + R keys to open the Run dialog box
  • Navigate to HKLM:\SOFTWARE\Policies\Microsoft\Windows\ to confirm if the RemovableStorageDevices registry key has been created with a Deny_All registry entry with a value of 1.
RemovableStorageDevices registry key to block USB drive on Windows 10/11 devices
RemovableStorageDevices registry key to block USB drive on Windows 10/11 devices
  • In the screenshot below, the Overview page indicates that there are two devices with issues under the Detection status. However, the Remediation Status shows that both of those issues have been successfully fixed.
Go to Overview page and find Detection status and Remediation status
Go to Overview page and find Detection status and Remediation status

More Information

Where do you find logs for Intune device remediation scripts?

You can monitor Intune device remediation scripts using the Intune admin center, as shown in the previous section titled “Monitor USB drive access block remediation scripts.” However, if you want to verify the effectiveness of the detection and remediation scripts, you can also review the IntuneManagementExtension.log file.

  • Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and open the most recent IntuneManagementExtension.log log file. You can sort the files list using the Date modified column.
  • Open the file and search for the Intune device remediation. You will find Detection and Remediation scripts with Exit codes, which confirm that the scripts are working fine.
Detection and Remediation script execution with their Exit Code values
Detection and Remediation script execution with their Exit Code values

Conclusion

In this blog post, we’ve learned how to block USB drive access using Intune remediations. There are various methods for deploying registry keys and entries through Intune, such as creating and deploying a PowerShell script via the “Devices > Scripts” approach.

Another method involves creating a PowerShell or batch file and packaging it in an .intunewin file. You can then establish a Win32 app deployment to distribute the .intunewin package to Intune-managed devices.

3 thoughts on “Block USB Drives access on Windows using Intune remediations”

  1. Hello Jatin,

    Apparently specific Windows licenses are required to use the Intune Remediations options.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/remediations
    Licensing
    Remediations requires users of the devices to have one of the following licenses:
    Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
    Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
    Windows 10/11 Virtual Desktop Access (VDA) per user

    Is there are an alternative way to deploy these two scripts?

    Reply
  2. Hi Jatin, thanks for this.

    Intune failed at this task _miserably_ (early 2024) but your scripts work really well, thank you!

    Wondering if you’ve come up with a way to allow certain removable storage devices while still preventing anything not on that list?

    I’ve found the key, Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices\List
    but adding Hardware or Device ID’s to this has had exactly zero effect. Maybe I’m approaching it the wrong way?

    Thanks for your time, any suggestions you have would be most appreciated.
    Sean

    Reply

Leave a Comment