Block USB with intune

Ahmed Sh 100 Reputation points

We have configured attack surface reduction rule to block USB.

It works on one device but not the others therefore I assume no issue with the policy, Main config is as following(Removable Disk Deny Write Access: enabled), The rest is pretty much not configured.


-I am just wondering what events in event viewer could be checked?

-What could be a cause for the issue?

-Any known causes/issues?

From MDM diagnostic report(same in working and non working devices): Storage RemovableDiskDenyWriteAccess 0 1 device 83AF4780-92A8-44A1-9EFD-63B38B2173C6=1

-Could it be replication time? Any help would be appreciated


Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,006 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,693 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,609 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. S.Sengupta 16,571 Reputation points MVP

    Check the "Microsoft-Windows-DeviceGuard/Operational" log for events related to the enforcement of the attack surface reduction rules.

    Look for events with Event ID 1121 or 1122, which indicate the blocking of a process or file.

    Also, check the "System" log for any related errors or warnings.

    1. The provided configuration "Storage RemovableDiskDenyWriteAccess 0 1 device 83AF4780-92A8-44A1-9EFD-63B38B2173C6=1" indicates that the policy is enabled (value 1) for the specific device ID.
    2. Verify that the same configuration is present on the non-working devices. If it's missing or has a different value, it could explain why the policy is not effective on those devices.
    0 comments No comments