In this Microsoft Intune post, I will show you how to whitelist USB devices on Windows using Intune.
With Microsoft Intune, we can block read and write access to USB ports and prevent users from using USB.
The problem starts when we also want to allow some USB devices and specific USB hardware to be used on the machine, like USB keyboard, etc.
Using Microsoft Intune, we can do that; we can block USB access and, at the same time, whitelist specific devices.
Whitelist USB Devices on Windows Using Intune
To whitelist USB devices on Windows, we will use Intune Administrative Templates, as you will see.
To whitelist USB devices, create a setting catalog policy and set the values in the table below (see screenshot for more details).
In the catalog, search for the last four values and add the hardware IDs of the devices you would like to whitelist.
Platform | Windows 10 or later |
Profile type | Settings catalog |
Removable Disks: Deny execute access | Enabled |
All Removable Storage classes: Deny all access | Enabled |
Removable Disks: Deny read access | Enabled |
Allow installation of devices that match any of these device IDs | Add the hardware ID for the devices you want to whitelist |
You can see in the screenshot below the policies.
As an optional step, you can add Block untrusted and unsigned processes that run from USB and set it to enabled.
Cannot get this to work to allow specific USB storage devices/removable disks like SanDisk to work. Even have the Device IDs listed as allowed. Still get “Access is Denied”