CloudServus - Microsoft Consulting Blog

How to use Microsoft Intune to Block USB Drives

Written by Dave Rowe | Oct 10, 2024 7:40:01 PM

USB devices, while incredibly convenient, can pose significant security risks to organizations. These devices can serve as a vector for data theft, malware infections, and unauthorized access. By implementing device control policies through Microsoft Intune, organizations can mitigate these risks and enforce strict security measures, ensuring sensitive data is protected and limiting exposure to potential cyber threats. Blocking USB devices helps prevent unauthorized data transfers and malware spread, providing an essential layer of security in today’s threat landscape.

Implementing Device Controls to Block USB Drives with Microsoft Intune

Microsoft Intune is a cloud-based endpoint management solution that allows IT administrators to enforce device policies, including the control of USB ports. By leveraging Intune’s device control features, organizations can block unauthorized USB devices, helping prevent data loss and enhance overall security posture.

This blog will walk you through the steps to implement device controls in Microsoft Intune to block USB drives while maintaining the flexibility of have exclusions for specific devices.

Step-by-Step Guide to Blocking USB Drives with Microsoft Intune

 
1. Prerequisites

Before you begin, ensure the following prerequisites are met:

  • Azure AD Premium License: Required to use Intune’s advanced device management features.
  • Intune Enrollment: Ensure devices are enrolled in Microsoft Intune.
  • Device Compliance Policies: Set up policies to enforce security and compliance across devices.
  • Windows 10 or 11 Devices: This guide specifically focuses on these operating systems, as they support the necessary configurations.

2. Create a Configuration Profile in Intune
  1. Sign in to the Microsoft Intune Admin Center Navigate to Intune Admin Center.
  2. Go to Endpoint Security and Attack Surface Reduction
  3. Click on the section Reusable settings
  4. Add a new setting named "Any Removable Media"
  5. On the configuration expand Device Control and add a new object type Removable Media

a. Enter the configuration for the removable storage instance:

Name: Any Removable Media

PrimaryId: RemovableMediaDevices


It will look like this:

b. Add another reusable setting this time for USB Allowed List. Add the Device Control this time identifying specific USB devices you want to allow. e.g. I'm allowing a 32GB SamData drive with the serial number EDEB5631

Name: Blue SamData 32GB

SerialNumberId: EDEB5631

It should look like this:

You can add multiple entries for additional USB devices identified by serial number or add an entry to allow USB devices from a specific manufacturer

Now you will have defined the two reusable settings and it should look like this:


6. Back to the Attack surface reduction summary section, create policy for Windows platform and select the profile Device Control:

a. Enter the policy name like "MDE - USB Device Control"

b. In the configuration settings expand Device Control and create the first of two entries.

  • After clicking Add you will need to select Edit Entry and enter the name as well as the Type, Options and Access mask (Read, Write, Execute).

The first entry will be to Block Removable Media:

  • After setting the Entry click on the Set reusable setting under Included ID and select "Any Removable Media"

Included ID

  • Next click on the Set reusable setting under Excluded ID and select "USB Allowed List"

Excluded ID

c. Add the second Device Control entry this time for Allowed USB Devices.

  • Click on Add and select Edit Entry. Enter the name "Allowed USB Devices" and add the two entries for Allow and Audit Allowed:

  • After setting the Entry click on the Set reusable setting under Included ID and select "USB Allowed List"

Included ID

The Device Control Policy will look like this:

7. Assign the Device Control policy to the relevant group or All Users.

Users who plug in a USB drive that is not in the approved/allowed list will receive the following notification:

Reporting

The Defender portal Microsoft Defender can be used to review the USB activity of devices:

You can view details on a blocked device to find the serial number if you wanted to add that device to the allow list:

By implementing device control policies with Microsoft Intune, organizations can effectively block USB drives and reduce the risk of data breaches and malware infections. Intune offers a flexible and scalable approach to managing devices and ensuring a high level of security. With the ever-growing need for strong data protection strategies, blocking unauthorized USB devices is a critical component of a comprehensive security plan. Contact us today if you’d like to implement Microsoft Intune in your organization.