top of page
Search

Enhancing Security: A Step-by-Step Guide to blocking USB Drives using Microsoft 365 via Intune

  • Writer: Jack Davies
    Jack Davies
  • Jul 12
  • 3 min read

This guide explains how to block USB drives on Windows 10 and 11 devices using an attack surface reduction policy in Microsoft Intune.


Why Restrict USB Access?


Unauthorized USB drives are a common source of data breaches and malware infections. Restricting removable storage is a critical step in protecting your organization's network and sensitive information. With Intune, you can block devices like USB flash drives while still allowing essential peripherals, such as keyboards and mice.


Using an Attack Surface Reduction Policy


For company-owned devices enrolled in Intune, you can implement an Attack Surface Reduction (ASR) policy to manage USB access. These rules, part of Microsoft Defender for Endpoint, help secure the vulnerable points in your organization. This policy allows you to centrally block or allow specific USB devices on all your managed Windows computers.


You can block USB device access on Windows devices using Microsoft Intune through two primary methods:


  1. Attack Surface Reduction (ASR) Policy: Create a device control policy to enable the "Removable Disk Deny Write Access" setting. According to Microsoft, enabling this policy denies write access to removable storage. If this setting is disabled or not configured, write access is permitted. For enhanced security, Microsoft also recommends enabling the "Deny write access to drives not protected by BitLocker" policy.


  2. Intune Remediations: Utilize Intune's remediation scripts to block USB device access.


Microsoft recommends a layered approach to securing removable media. Microsoft Defender for Endpoint offers multiple features to monitor and control peripherals, preventing them from compromising your devices.


Why Block USB Access?


Restricting USB drives is a critical security measure for any organization. It helps to:


  • Prevent Data Breaches: Stops employees from copying sensitive company data to unauthorized external devices.

  • Mitigate Malware Threats: Reduces the risk of malware spreading from infected USB drives to your network.

  • Strengthen Data Loss Prevention: Minimizes the chance of data being lost or stolen on portable storage devices.

  • Enhance Access Control: Ensures that data is only transferred through approved and monitored channels.


How to block USB Drives using Intune:


You first need to sign into Intune Admin Centre and then go to Endpoint Security > Attack Surface Reduction and click 'Create Policy'.


UI screenshot showing "Endpoint security" with "Attack surface reduction" selected. Options to create, refresh, and export policies are visible.

On the next screen, you will configure the profile settings:


  1. Platform: Select Windows 10 and later.

  2. Profile type: Choose Templates, and then select Device Control.

  3. Click Create.


Create a profile interface showing platform as Windows and profile as Device Control, with details on securing removable media.

On the Basics tab, provide a name and description for the profile.


  • Name: Enter a descriptive title for the policy.

    • Example: Block USB Drives

  • Description: Add a brief summary explaining the profile's purpose. This is helpful for other administrators who may manage this policy.

    • Example: Uses an ASR policy to block USB device access.


Click Next to continue.


Create Policy screen for blocking USB drives in endpoint security. Fields: "Name" - Block USB Drives, "Description" - USB access block policy.

  • On the Configuration Settings tab, expand the "Storage" category.

  • Find the setting named Removable Disk Deny Write Access.

  • To block users from writing to USB drives, set this policy to Disabled.


Dropdown menu for "Removable Disk Deny Write Access" with "Disabled (Default)" selected and highlighted in red. White background.

Next, add any required 'Scope Tags'


Policy creation interface showing "Scope tags" section with a default tag listed. Blue checks indicate steps completed.

On the Assignments tab, select the user or device groups that will receive this policy. Under "Included groups," click Add groups and search for your target group.


For example, this policy was assigned to the 'Corporate' group.


Endpoint security policy screen showing "Create Policy" under "Assignments." JDJ-CORP-WIN group with 0 devices, 5 users. Options include filters.

You will now need to wait for the sync the device to Intune or manually sync the device.


End-User Experience


Once the Intune policy has been successfully applied to a device, any attempt to use a removable storage device will be blocked. When a user connects a USB drive, the system will prevent access and display an error message, such as "Location is not available" or "Access is denied."


This confirms that the Attack Surface Reduction (ASR) policy is effectively preventing the use of removable storage as intended.


Error message window with a red X icon. Text reads: "Location is not available. F:\ is not accessible. Access is denied." Blue OK button.


Comments

bottom of page