Block USB with intune

Ahmed Sh 100 Reputation points
2024-06-04T14:01:14.8+00:00

We have configured attack surface reduction rule to block USB.

It works on one device but not the others therefore I assume no issue with the policy, Main config is as following(Removable Disk Deny Write Access: enabled), The rest is pretty much not configured.

 

-I am just wondering what events in event viewer could be checked?

-What could be a cause for the issue?

-Any known causes/issues?

From MDM diagnostic report(same in working and non working devices): Storage RemovableDiskDenyWriteAccess 0 1 device 83AF4780-92A8-44A1-9EFD-63B38B2173C6=1

-Could it be replication time? Any help would be appreciated

 

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,006 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,693 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,609 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. S.Sengupta 16,571 Reputation points MVP
    2024-06-07T01:17:41.0066667+00:00

    Check the "Microsoft-Windows-DeviceGuard/Operational" log for events related to the enforcement of the attack surface reduction rules.

    Look for events with Event ID 1121 or 1122, which indicate the blocking of a process or file.

    Also, check the "System" log for any related errors or warnings.

    1. The provided configuration "Storage RemovableDiskDenyWriteAccess 0 1 device 83AF4780-92A8-44A1-9EFD-63B38B2173C6=1" indicates that the policy is enabled (value 1) for the specific device ID.
    2. Verify that the same configuration is present on the non-working devices. If it's missing or has a different value, it could explain why the policy is not effective on those devices.
    0 comments No comments