How to disable access to removable storage devices with Microsoft Intune

Your computer's USB ports are an obvious gateway to trying to compromise your security. You must therefore limit its use and thus prevent a user from connecting a storage device that could contain a virus or other malware that could affect your security.

Microsoft Intune provides the ability to address this vulnerability by creating a CSP. Setting it up will prevent access to the following elements:
  • External USB Storage
  • SD Card
To do this, I invite you to follow the procedure below.

Create the Configuration Profile

  • Go to
  • Navigate to Devices Windows / Configuration Profiles
  • Click Create Profile
  • In Create a Profile, select :
    • Platform : Windows 10 and later
    • Profile Type : Template
    • Template Name : Device Restriction
  • Click Create
  • Enter the profile name in the name field and click Next
  • Configuration Settings, navigate to General
    • For Removable Storage, switch the parameter to Block
    • Click Next
  • Assignements, select Devices group or All devices and click Next
  • Applicability Rules, click Next
  • Review + Create, click Create


Applying the configuration profile

  • Go to the Intune Management Console
  • Navigate to Devices / Configuration Profiles
  • Click on your Configuration Profile
  • At the top of the page, click on View Report

Verification of the application of the parameter on the device

  • Open the Windows registry (Regedit)
  • Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices
  • Check this value :
    • Deny_All equal 1

User side

When the user tries to open a USB storage device, he will get the following message:

Popular posts from this blog

How to implement Applocker with Microsoft Intune

How to reset computer in OOBE mode

Microsoft Intune, Uninstall Win32 app with the company portal