This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 11%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi All,
We are planning to deploy Microsoft Defender as our endpoint security solution and use Intune to apply device control.
We intend to block access to all mobile phones connected via USB on our W10 workstations. Trying to find a solution on how best to apply this configuration and if its even possible.
We are using the Microsoft Defender for Endpoint baselines to block write access to any USB devices that are not encrypted. However, this does not prevent the phones connecting to the W10 workstation via USB and apply as a storage device.
Tried to use device config profiles policy to add allowed device class IDs for all plug and play USBs. That too don't work and blocks all USBs devices.
Used the identifiers based on the article below
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors
Would appreciate any suggestions.
Thanks,
Mo
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
How you setup device block list?
Is it like set all devices into blacklist except the one you add to whitelist?
@Reza-Ameri Thank you for your reply.
I want to block all mobile phones using USB connection but whitelist/allow all other removable devices (USBs),
@Mo Alom Thanks for posting in our Q&A. From your description, I know that we need to block all USB connection from mobile devices to win10 devices. If there is anything misunderstanding, feel free to let us know.
For this issue, we suggest to try to create a profile to block Removable storage and USB connection in device configuration profile > Device Restriction > General. We can read the following article as a reference.
https://learn.microsoft.com/en-us/windows/security/threat-protection/device-control/control-usb-devices-using-intune#block-installation-and-usage-of-removable-storage
Hope it will help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Lu Dai-MSFT thank you for the above article.
It looks like the settings "USB Connection (mobile only)" is no longer supported as part of the device restriction policy for Windows 10. The settings has now been removed however the article has not been updated.
If I were to configure the setting block "Removable storage" will this block all USB devices? and not just the mobile phones.
We are controlling all other USB devices with the Microsoft Defender for Endpoint baselines by making our users use the option of turning on bitlocker if USB drive is to be writeable and used.
Any suggestion on how to block mobile phones using USB connection and allow all other removeable devices (USBs).
This is what I have attempted to do so far but I get access denied to all removal drives
Microsoft Defender for Endpoint baseline - Settings
BitLocker removable drive policy – Configured
- Configure encryption method for removable data-drives - AES 256bit XTS
- Block write access to removable data-drives not protected by BitLocker – Yes
Device Configuration – Device Restriction Profile - Settings
Removable storage - Block
USB connection - Block
Device Configuration – Administrative template Profile - Settings
Allow installation of devices that match any of these device IDs – Enabled
Added device class ID:
Disk Drives
Class = DiskDrive
ClassGuid = {4d36e967-e325-11ce-bfc1-08002be10318}
This class includes hard disk drives. See also the HDC and SCSIAdapter classes.
Used the identifier based on the article below
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors
@Mo Alom Thanks for your reply.
Yes, if we configure the setting block "Removable storage", it will block all USB devices. So for the requirement, I had thought again.
In order to prevent the policies from influencing each other, we suggest to disable the Device Restriction Profile about USB. Then try to refer to this article to configure USB settings.
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/restrict-usb-with-administrative-template
If there is anything unclear, feel free to let us know.
There are policies for Phones (WPD devices):
WPD Devices: Deny read access
WPD Devices: Deny write access
(see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemovableStorageAccess::WPDDevices_DenyRead_Access_1)
This will not only block phones, but also include media players, auxiliary displays, and CE devices (according to MS documentation).
This will NOT deny access to other USB devices as mouse, keyboard, USB sticks or removable hard drives.