There is always a security risk when USB storage drives access is allowed on corporate devices. Users can download sensitive data on External drives and if misused, could affect organization’s reputation.
If users are accessing any confidential information from company devices which can be saved and then copied to user’s personal storage device then it could lead to security breach event. To prevent this security breach, use of removable storage must be blocked on all corporate devices.
There are many ways to block USB drives on corporate devices. If your organization’s devices are managed by Intune, then you can use that option to block Removable storage devices easily. I will be using Intune device remediations for blocking USB drives on Windows 10 and Windows 11 devices.
Device remediations is also referred to as Intune proactive remediations. We will use Powershell scripts create registry key’s / registry entries on target devices which will block USB storage access.
Remediations requires users of the devices to have one of the following licenses. If you are not meeting the license criteria then you can simply deploy Remediation_Script_Block_USB.ps1 script via Intune admin center > Devices > Scripts option. For more information, refer to the blog post: How To Deploy Powershell Script Using Intune.
Source: Microsoft
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Virtual Desktop Access (VDA) per user
Intune device Remediations automatically detects and resolves issues on managed devices as per the detection and remediation scripts. I have created two powershell scripts, one for Detection of a registry key/entry/value and one for Remediation which will create necessary registry Items.
After several failures and testing the script again and again, the script is finally working fine on Windows 10 and Windows 11 devices which I want to share with you. The way I am blocking USB access is by creating a registry key called RemovableStorageDevices and under this registry key creating a registry entry called Deny_All with value of 1.
I copied and modified the Powershell script from the blog post: Powershell to test If registry key and value exists and tested it on Windows 10 and Windows 11 devices.
Below Detection powershell script will check the existence of RemovableStorageDevices registry key and also check if Deny_All with value of 1 is existing or not. If any of the condition is not true, it will launch Remediation script to create / create / update the necessary registry Items for blocking USB drive.
Detection_Script_Block_USB.ps1
<#
.DESCRIPTION
This detection script will check if RemovableStorageDevices reg key
is existing and Deny_All is set to 1
Author: Jatin Makhija
Website: Copyright - Cloudinfra.net
Version: 1.0.0
#>
#registry key path
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
#Provide registry entry display name
$valueName = "Deny_All"
#Provide registry entry expected value
$requiredValue = "1"
$regkeyexists = Test-Path -Path $regPath
if ($regkeyexists) {
#Check if registry entry named Status exists
$regentryexists = Get-ItemProperty -Path $regpath -Name $valueName -ErrorAction SilentlyContinue
if ($regentryexists) {
#If registry entry named Deny_All exists, then fetch its value
$currentValue = Get-ItemProperty -Path $regpath | Select-Object -ExpandProperty $valueName -ErrorAction SilentlyContinue
#Match Status registry entry value with requried value
if ($currentValue -eq $requiredvalue) {
Write-Host "Reg value exists and matching the required value."
Exit 0
} else {
Write-Host "Reg value exists, but does not match the required value."
Write-Host "Current value: $currentValue"
Write-Host "Required value: $requiredValue"
Exit 1
}
}
else {
Write-Host "Registry value does not exist."
Exit 1
}
}
else {
Write-Host "Registry key does not exist."
Exit 1
}
Below Remediation powershell script will check the existence of RemovableStorageDevices registry key and also check if Deny_All with value of 1 is existing or not. If any of the condition is not true, it will create or update registry Item accordingly.
I have tested it multiple times and made sure that below remediation script will not Overwrite existing RemovableStorageDevices registry key. Please not below points about the script:
- It will create registry key RemovableStorageDevices if it does not exist
- It will create a registry entry Deny_All with value 1, Only when its not existing
- It will update registry entry Deny_All if its set to any value other than 1
Remediation_Script_Block_USB.ps1
<#
.DESCRIPTION
This remediation script will check if RemovableStorageDevices reg key
is existing and Deny_All is set to 1. If not then it will create it
Author: Jatin Makhija
Website: Copyright - cloudinfra.net
Version: 1.0.0
#>
#Registry key path
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices"
#Provide registry entry display name
$valueName = "Deny_All"
#Provide registry entry expected value
$requiredValue = "1"
$type = "DWORD"
$regkeyexists = Test-Path -Path $regPath
If (!$regkeyexists)
{
try{
New-Item -Path $regPath -Force | out-null
Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
Write-Output "Registry Key and value created"
Exit 0
}
Catch {
$errMsg = $_.Exception.Message
Write-Error $errMsg
Exit 1
}
}
Else
{
Write-Output "Reg Key exists. Checking for registry entry"
$regentryexists = Get-ItemProperty -Path $regpath -Name $valueName -ErrorAction SilentlyContinue
If ($regentryexists)
{
Write-Output "Reg Entry Exists. Checking for its value"
$currentValue = Get-ItemProperty -Path $regpath | Select-Object -ExpandProperty $valueName -ErrorAction SilentlyContinue
if ($currentValue -eq $requiredvalue)
{
Write-Output "Reg entry with value already Exists.No action required"
Exit 0
}
Else {
Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
Exit 0
}
}
Else {
Set-ItemProperty -Path $regPath -Name $valuename -Value $requiredValue -Type $type
Exit 0
}
}
Create Remediation Script Package in Intune
We will use the above Detection and Remediation scripts to create a script package using Intune device Remediations. Let’s check the steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on + Create script package
Basics Tab
Provide the Name and Description of the package. Keep rest of the settings as default.
- Name: Block USB drive access on Windows
- Description: This Device remediation will block USB drive access on target Windows 10 and Windows 11 devices
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
Browse to the Detection script and Remediation Script file. You need to save above scripts in two powershell script files with extension as .ps1 and then browse to it using blue folder Icon as shown in below screenshot.
- Detection script file – Browse to the Detection script Detection_Script_Block_USB.ps1
- Remediation script file – Browse to Remediation script file Remediation_Script_Block_USB.ps1
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments
Create an Azure AD Security group which contains users or devices on which you want to block USB drive access. If you prefer a more controlled deployment to specific devices only, then make sure to target only specific devices via Azure AD group. Once your testing is successful and you want to deploy this remediation package on all Organization devices, you can click on + Add all devices.
You can also choose the schedule of executing the script package. You have three options, Once, hourly and Daily.
I prefer to select Hourly and Repeat every 1 hour when I am testing the deployment on couple of devices. This way the device remediation script package is executed every 1 hour to check the existence of registry key. I get the results quickly and can update the script package if there are any issues.
However, once you have established that the Remediation script package is working as expected and testing is successful, you can change it to run less frequently e.g. Daily at a specified time.
Review + Create
On Review + Create tab, review the remediations script package details and click on Create. As soon as you click on create button, device remediation script package deployment will start.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the device remediation process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the scripts download, execution and remediation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the script package on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check what’s happening on end user device. After the Remediation script package has been executed successfully. You can check if the registry key and registry entries are created as per the powershell scripts.
- Press Windows key + R to open Run dialog box
- Navigate to HKLM:\SOFTWARE\Policies\Microsoft\Windows\ to confirm if RemovableStorageDevices registry key has been created with Deny_All registry entry with value of 1.
Monitor USB drive access block remediation scripts
You can monitor Intune device remediation script packages from Intune admin center by following below steps:
- Login on Microsoft Intune admin center.
- Go to Devices > Remediations.
- Click on the Remediation script package you want to monitor. “Block USB drive access on Windows“.
- Go to the Overview to find the deployment status of the script package.
As you can see in below screenshot, Overview page shows that there two devices with Issues under Detection status. Remediation Status shows that both of those Issues are fixed.
Where to find logs for Intune device remediation scripts ?
You can easily monitor Intune device remediation scripts using Intune admin center as shown in previous section “Monitor USB drive access block remediation scripts“. However, if you want to check and confirm if the detection and remediation scripts are working fine then you can also check IntuneManagementExtension.log file.
- Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and open the most recent IntuneManagementExtension.log log file. You can sort the files list using Date modified column.
- Open the file and search for the Intune device remediation. You will find Detection and Remediation scripts with Exit codes which confirms that the scripts are working fine.
Conclusion
In this blog post, we have see how to block USB drive access using Intune remediations. There are different ways to deploy a registry key and registry entries via Intune e.g. Deploy registry keys by creating/deploying a powershell script (deploying it via Devices > Scripts method). Another method is by creating a powershell or batch file and wrapping it in .intunewin file. You can then create a Win32 app deployment for deployment of .intunewin package on Intune managed devices.