Microsoft Security | Intune | Configuration
Setting up and managing device configurations using Intune
Maybe this can help. https://rahuljindalmyit.blogspot.com/2023/02/deny-all-access-to-removable-storage.html
How to restrict USB devices installation on Windows 10 devices managed by Intune (Attack Sufrace Reduction)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 13%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Said AMCHART
956
Reputation points
Hello everyone,
I am trying to restrict access to USB devices and limit the USB thumbs devices that can be installed/accessible on certain Windows machines I enrolled to Intune.
I have following this: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-worldwide
Created a policy under Endpoint Security > Attack Surface reduction > Create Policy (with Device Control type selected)
The policy has the following configured:
- Allow installation of devices that match any of these device IDs (Enabled and added all the Instance IDs from the devices I want allowed)
- Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria (Enabled)
- Prevent installation of devices not described by other policy settings (Enabled)
- Every other setting was left Not Enalbled.
I pushed the policy to the devices. On the devices I can notice the following registry key getting populated with Device Instance IDs:
| Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
|---|
| AllowInstanceIDs |
I also noticed the following registry keys on the same location:
But all my tests with the devices that are not on the Instance IDs list specified fail. All the USB devices are able to be installed and accessed form this device.
I am mainly testing with USB thumb drives.
Any input or feedback will be valued.
Thank you!
Regards,
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
Microsoft Security | Intune | Other
Other Intune-related topics, including unsupported scenarios and platform-specific behaviors
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Rahul Jindal 11,511 Reputation points2023-02-23T17:02:25.38+00:00 -
Said AMCHART 956 Reputation points
2023-02-23T18:35:08.4833333+00:00 Hi @Rahul Jindal ,
Thank you for the response, that article seems to be about blocking ALL removable storage devices.
I want to allow certain devices only and block all other devices.
Using Instance IDs seems to be the most probable way to do so but it's not working as expected.
Let me know if you have any other ideas.
Thank you,
-
Rahul Jindal 11,511 Reputation points
2023-02-23T20:01:50.83+00:00 I thought you wanted to block all usb drives. If it is certain class ids then what you are doing should work. Have a look at this post. https://rahuljindalmyit.blogspot.com/2021/10/the-fine-balance-between-device-control.html
-
Said AMCHART 956 Reputation points
2023-02-24T16:43:22.1533333+00:00 Hi @Rahul Jindal [MVP] ,
Thank you again for the reply,
I seems though that the options on the blog have changed/renamed.
These two options are no longer available under Device Control:
Let me know if you have any additional tips.
Thank you!
Regards,
-
Said AMCHART 956 Reputation points
2023-03-03T13:32:36.81+00:00 Hi @Rahul Jindal [MVP] ,
I hope this finds you well.
Let me know if you have additional suggestions.
Thank you!
-
Rahul Jindal 11,511 Reputation points
2023-03-06T17:12:26.8266667+00:00 Correct, which is why the first link should get you to control different categories of removable drives. I cover blocking access to all, but you can customize it. https://rahuljindalmyit.blogspot.com/2023/02/deny-all-access-to-removable-storage.html
Sign in to comment -