I have deleted usb policy in intune but still device is getting affected? USB is still blocked. How to resolve?

Question

I have deleted usb policy in intune but still device is getting affected? USB is still blocked. How to resolve?

Vanshika Parmar 0

Hi, I had earlier implemented a policy to block USB using endpoint security. After that, I deleted the policy and even after syncing the USB is still blocked. Even after removing the device from Azure-AD Joined from access work or school, it is blocked.I want the policy to allow for certain devices and block for others. The policy is not working as expected. Please help me to resolve this issue.

Rahul Jindal 11,596 Reputation points

2023-12-16T10:45:18.62+00:00

Removing the policy assignment will not necessarily revert the setting. It only works for selected few CSPs. You will have to create another policy doing the opposite of enablement or set to ‘not configured’ and assign that to the devices in question. Just make sure the same devices are excluded from the enablement assignment otherwise there will be a conflict.
Vanshika Parmar 0 Reputation points

2023-12-16T10:54:51.9333333+00:00

I tried doing the same but the usb is still blocked

3 answers

Your answer

Rahul Jindal 11,596 Reputation points

2023-12-16T10:45:18.62+00:00

Removing the policy assignment will not necessarily revert the setting. It only works for selected few CSPs. You will have to create another policy doing the opposite of enablement or set to ‘not configured’ and assign that to the devices in question. Just make sure the same devices are excluded from the enablement assignment otherwise there will be a conflict.
Vanshika Parmar 0 Reputation points

2023-12-16T10:54:51.9333333+00:00

I tried doing the same but the usb is still blocked

Answer 1

@Vanshika Parmar, Thanks for posting in Q&A. From your description, I know we have removed the USB block policy. But the USB is still blocked. In General, Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing. For USB the setting will be kept when we remove the profile.

https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#a-profile-is-deleted-or-no-longer-applicable

I notice you have created the profile again with the allow setting. But it is still blocked. Please go to the following location to see if any registry key existing which can block the USB. If yes, remove them to see if the USB can be accessed.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Vanshika Parmar 0

User's image

In the screenshot, the deny value is set to 0 so it should be allowed but its still giving block. Giving one more screenshot for your reference:

User's image

Crystal-MSFT 54,206 Reputation points Microsoft External Staff

2023-12-18T07:22:36.8433333+00:00

@Vanshika Parmar, Thanks for the reply. From the information provided, I know the USB is allow. But when we access, it shows denied. Please check the registry key in the following location to see if it has any deny setting.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices

Meanwhile, please restart the device and reconnect the USB to see if the result will be different.
Vanshika Parmar 0 Reputation points

2023-12-18T08:37:06.76+00:00

This is an different path where in start it is HKEYLOCALMACHINE and for the path which you are asking earlier and now HKEYCURRENT

:

there is no path of removable storage devices.

And after restarting the device ,the usb is still blocked.there is no impact.can you just tell how i can untattoed the device?
Crystal-MSFT 54,206 Reputation points Microsoft External Staff

2023-12-18T09:22:47.3266667+00:00

@Vanshika Parmar, Thanks for the reply. The place I know for the setting is the one you check. And it is already allowed. So I wonder if there's other place which may block this. So I ask to check the registry under HKEY_CURRENT_USER, But there's no registry key with RemovableStorageDevices. Please search in the registry to see if there's any other registry key with "RemovableStorageDevice" existing.

However, if there's no such registry key, you can try the method in the following link to see if we can access the USB.

https://www.anyrecover.com/storage-device-tips/usb-access-denied/#:~:text=While%20below%20are%20some%20of%20the%20most%20common,of%20BitLocker%20encryption%20on%20the%20external%20hard%20disk.

Note: Non-Microsoft link, just for the reference.

Answer 3

Jatin Makhija 1,181

Try using Powershell script to change registry values which unblocks USB drive. Refer to this step by step guide: https://cloudinfra.net/block-usb-drives-access-on-windows-using-intune-remediations/. Hope this will resolve your Issue.

---If the response is helpful, please click "Accept Answer" and upvote it.---

Share via

I have deleted usb policy in intune but still device is getting affected? USB is still blocked. How to resolve?

3 answers

Your answer