How to block USB Storage devices, but allow specific ones using Intune?

Question

Hi,

I'm trying to create a configuration profile with Intune that blocks USB Storage devices, but will allow specific ones based on the Device ID number or serial number.

I've tried a number of links including the one below with no luck and the profile I create just blocks all the USB storage devices, even the one that I've specified not to block. Can anybody suggest something for me to try?

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-worldwide#deploying-and-managing-policy-via-intune

Thanks,

Answer 1

@Brian Liu Thanks for posting in our Q&A.

For this issue, did you try to restrict USB devices and allow specific USB devices using Administrative Templates? Please refer to the following article:

https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

So I did the below and still the USB storage device that I've allowed by Device ID is being blocked

• Enabled "Prevent installation of devices not described by other policy settings"
• Enabled "Allow installation of devices using drivers that match these device setup classes"
• Enabled "Allow installation of devices that match any of these Device IDs"

I've also tried setting up using "Attack surface reduction" option in Endpoint Security

Register all class GUID and hardware id and compliance id still facing issue