Listen to this Post
With the increasing risks of malware and data exfiltration via USB devices, controlling removable storage access is critical. Microsoft Intune provides a robust way to enforce USB device restrictions across your organization.
How to Block USB Removable Storage in Intune
1. Sign in to Microsoft Intune Admin Center
- Navigate to https://intune.microsoft.com.
2. Create a Device Restriction Policy
- Go to Devices > Configuration Profiles > Create Profile.
- Select Platform: Windows 10 and later > Profile Type: Templates > Administrative Templates.
3. Configure USB Block Settings
- Search for “Removable Storage” in the policy settings.
- Enable the following policies:
- Prevent installation of removable devices
- Deny write access to removable storage
- Allow write access to USB only when BitLocker is on
4. Assign the Policy to Target Groups
- Select the security groups that need USB restrictions.
5. Deploy and Monitor
- Click Create to deploy the policy.
- Monitor compliance under Devices > Compliance Policies.
You Should Know: PowerShell & Registry Tweaks for USB Control
For advanced control, use these PowerShell commands to manage USB storage:
<h1>Disable USB Storage via Registry</h1> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4 <h1>Enable USB Storage (if needed)</h1> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 3 <h1>Check USB Storage Status</h1> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" | Select-Object Start
**For Linux Systems (Advanced Blocking via udev Rules):**
<h1>Block USB storage devices</h1>
echo 'SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{idVendor}=="****", ATTR{idProduct}=="****", RUN+="/bin/sh -c 'echo 0 > /sys/bus/usb/devices/%k/authorized'"' | sudo tee /etc/udev/rules.d/99-block-usb.rules
<h1>Reload udev rules</h1>
sudo udevadm control --reload-rules
### **What Undercode Say**
Controlling USB access is crucial for enterprise security. Intune provides a seamless way to enforce policies, but combining it with Group Policy (GPO) and local registry tweaks ensures deeper protection. For Linux admins, udev rules and kernel-level USB disabling (modprobe -r usb_storage) add extra layers of defense. Always test policies in audit mode before full enforcement.
### **Expected Output:**
- Intune policy successfully blocking USB storage.
- PowerShell/registry changes preventing unauthorized USB access.
- Linux udev rules automatically disabling unauthorized USB devices.
Reference: Martin Byskov’s Blog | Microsoft Intune Docs
References:
Reported By: Byskov Stop – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
