In this blog post, we’ll show you how to block USB and removable storage on Windows 10 devices with Microsoft Intune. There are a number of reasons why a business might want to do this.
For example, blocking USBs can help protect against malicious files being copied onto the device that could then be used as an attack vector for data exfiltration. Or perhaps you want to prevent confidential data from being copied out of your organization using these types of storage devices. Whatever the reason is for wanting to block them, here is what you need to know about it!
In the previous post, we discussed What you can do with Microsoft Intune
Block USB and removable storage policy
The following is how to block USB and removable storage on Windows 10 devices with Microsoft Intune. The first step in blocking USBs and removable storage is providing a list of the drives that you want to register as blocked. You can then add these drives and set their properties to be read-only or hidden; this will make the drive inaccessible within Windows.
To get started open the Microsoft Endpoint Manager, Click on Endpoint security -> Attack surface reduction -> Create Policy
From the Create policy page, select the Platform (Windows 10 and later) and select the profile Device control.
Name the policy and click next to move to the Configuration settings and set Block removable storage to Yes and Block write access to removable storage to Yes.
Continue to the assignments section and select the Azure AD group that the policy will apply to.