2 different ways to manage USB Storage devices with Intune

USB storage devices, while convenient, represent a potential threat to the security of sensitive information. In response to this challenge, we have produced a technical guide entitled “Manage USB Storage Devices with Intune”.

This guide explores two possible configuration options depending on your needs , configuring USB devices as read-only to protect data against theft , or blocking USB devices to prevent threats, while allowing exceptions for certain organizational devices.

Through this guide, we aim to provide practical and effective solutions for strengthening data security within your organization.

1 – USB Storage Read-Only : Protect corporate data from being stolen

Protecting corporate data is a major issue in today’s digital world. Companies must constantly guard against the threat of theft and leakage of sensitive information. To meet this challenge, we have setting an Intune policy that authorizes reading from storage media while prohibiting writing. This measure is designed to prevent any attempt at unauthorized copying or transfer of critical data. In this article, we’ll discuss the importance of this policy, its benefits for data security and how it can be effectively integrated into your access management strategy.

Let’s strat it :

  1. Open Microsoft Intune Admin Center – This is the main portal for managing endpoint security policies.
  2. In the left-hand menu, click on “Endpoint security” to access security-related settings.
  3. Under “Endpoint security” expand the “Manage” section.
  4. Click on “Attack surface reduction” to manage ASR policies.
  5. select the “Policies” tab to view or create new policies.
  6. Press the “Create Policy” button to configure a new attack surface reduction policy.
  7. In the “Create a profile” panel, select : Windows + Device Control
  8. Finally, click the “Create” button to save and apply the new policy.
  • Give a name to your Policy
  • In Storage section, select “Enabled” for Removable Disk Deny Write Access.
  • Click “Next”
  • Assign Group of users or All Users as your organazation needs
  • Click save
  • Let’s create new text file in my usb storage :
  • As you can see here access is denied

2 – Block USB Storage devices : Protect your organization from USB threats

Protecting computer systems against viruses and other malware is essential in any digital environment. To reinforce this security, we have implemented an Intune policy aimed at blocking access to external storage media. This preventive measure considerably reduces the risk of infection by viruses and other threats, by preventing the introduction of malware via removable storage devices. In the following steps, we’ll explore how to implement it effectively.

So let’s get started :

  1. Open Microsoft Intune Admin Center
  2. Navigate to “Devices
  3. Under “Manage devices” select “Configuration” to manage configuration policies.
  4. In the main panel, click on the “Create” button to start creating a new configuration profile.
  5. In the “Create a profile” panel, choose : Windows 10 and later + Setting Cathalogue
  6. Finally, press the “Create” button to proceed with creating the new profile.
  • Give a name to your Policy

A – Prevent installation of devices not described by other policy settings :

When this policy is enabled, Windows will block driver installation/updates for any device UNLESS it matches one of these allow-list criteria:

  1. Devices listed under “Allow installation of devices that match any of these device IDs”.
  2. Devices categorized under “Allow installation of devices for these device classes”.
  3. Devices specified in “Allow installation of devices that match any of these device instance IDs”.

This policy enforces strict control over driver installations by restricting them to explicitly approved devices.

  1. In the “Configuration settings” section, click on the “+ Add settings” button to add a new configuration setting.
  2. In the “Settings picker” panel, use the search bar to find “Prevent installation of devices not described by other policy settings”.
  3. Once the search result appears, check the box next to “Prevent installation of devices not described by other policy settings” to include this policy in the configuration.
  4. After adding the setting, toggle it to “Enabled” to enforce the restriction.

B – Allow installation of devices using drivers that match these device setup classes:

  1. In the “Configuration settings” section, click on the “+ Add settings” button to add a new configuration setting.
  2. In the “Settings picker” panel, use the search bar to find “Allow installation of devices using drivers that match these device setup classes”.
  3. Once the search result appears, check the box next to “Allow installation of devices using drivers that match these device setup classes” to include this policy in the configuration.
  4. After adding the setting, toggle it to “Enabled” to enforce the restriction.
  5. Add Class GUIDs from Microsoft List for allowed devices from this link : Link

Here is Common class GUIDs to allow USB devices :

Keyboard and mouse : Add the following GUIDs to the device profile :

  • Keyboard : {4d36e96b-e325-11ce-bfc1-08002be10318}
  • Mouse : {4d36e96f-e325-11ce-bfc1-08002be10318}

Cameras, headphones and microphones : Add the following GUIDs to the device profile :

  • USB Bus devices (hubs and host controllers) : {36fc9e60-c465-11cf-8056-444553540000}
  • Human Interface Devices (HID) : {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
  • Multimedia devices : {4d36e96c-e325-11ce-bfc1-08002be10318}
  • Camera devices : {ca3e7ab9-b4c3-4ae6-8251-579ef933890f}
  • Imaging devices : {6bdd1fc6-810f-11d0-bec7-08002be2092f}
  • System devices : {4D36E97D-E325-11CE-BFC1-08002BE10318}
  • Biometric devices : {53d29ef7-377c-4d14-864b-eb3a85769359}
  • Generic software devices : {62f9c741-b25a-46ce-b54c-9bccce08b6f2}

3.5 mm headphones : Add the following GUIDs to the device profile :

  • Multimedia devices : {4d36e96c-e325-11ce-bfc1-08002be10318}
  • Audio endpoint : {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}

In this example I will allow : Keyboard + Mouse + Camera devices + System devices

You can add others devices class GUIDs as your needs.

Click Next to pass to Assignment Section.

  • Add “All Users” or just group of users then click “Next
  • Click Create
  • Now we will try to connect my usb drive to my laptop.
  • As you can see here my flash drive is pluged in but driver is not installed because of our Intune Policy, so we cant see it in devices drive list.

C – Optional : We can allow only Organazation specific USB Storage devices

I think this feature is super Powerfull, you can enable just few USB drives to be installed and used with all your Intune devices.

In this example I’ll allow my Kingstone USB drive to be installed on all Intune devices, you can do this if you have specific disk drive or flash drive that you want to exclude it from the previous policy Block.

Prequisite : Device Hardware iD.

How to obtaining the hardware IDs for a device

To find the list of hardware IDs for a given device, follow these steps:

  • Open Device Manager.
  • Find the device in the tree.
  • Right-select the device and select Properties.
  • Select the Details tab.
  • In the Property drop-down, select Hardware Ids or Compatible Ids.
  • Come back and edit your last Policy “Block Read Write USB Storage”
  • In the “Configuration settings” section, click on the “+ Add settings” button to add a new configuration setting.
  • In the “Settings picker” panel, use the search bar to find “Allow installation of devices that match any of these Device IDs”.
  • Once the search result appears, check the box next to “Allow installation of devices that match any of these Device IDs” to include this policy in the configuration.
  • After adding the setting, toggle it to “Enabled” to enforce the restriction.
  • Add the hardware ID that we have copied in the previous section
  • Click Save

Only flash drive that have right Hardware ID will be installed on device, I have tried 2 flash drives with same Brand, same model, same capacity, but only one of them is working :

3 – Conclusion :

In conclusion, managing USB storage devices with Intune is a crucial step in strengthening your company’s data security. By configuring USB devices as read-only, you can protect sensitive information from theft. By blocking USB devices, you reduce the risk of infection by viruses and other threats, while maintaining the flexibility needed for essential day-to-day tasks. We hope this guide provides you with the tools and knowledge you need to implement the policy that’s right for you, effectively and securely.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance