Blocking USB devices on Windows with an Intune Device Configuration profile

There are a number of ways to block USB storage devices using Intune. You can also complete:

Navigate to https://endpoint.microsoft.com and select Device from the menu on the left as shown above.

Then, select Windows on the right.

Select Configuration profiles from the menu on the left as shown.

Select Create profile.

Then select the Platform as Windows 10 and later.

Select the Profile type as Templates.

From the list of templates select Administrative Templates.

Select Create in the bottom right.

Give the policy a meaningful name and description.

Select Next to continue.

Select Computer configuration.

Then enter the following into the Search box ‘prevent installation of devices’ and Search.

Typically, the first item returned will be ‘Prevent installation of devices not described by any other policy. Select this.

Select the option Enabled.

Select OK.

Select Next to continue.

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.

You can also review these settings at any time by simply selecting the policy in the list and viewing its details as shown above.

You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.

If you now try and plug in an unknow USB storage device you may see the above warning. In other cases, you will see no warning but USB device storage will be blocked.

Some points to remember:

1. The above policy is only designed for Windows 10 and above

2. The above policy won’t prevent USB storage devices that have already been used on an endpoint. These need to be removed from the device manager on the device to be blocked in future.