Blocking USB devices on Windows with an Intune Endpoint Security policy

There are a number of ways to block USB devices using Intune. The following method uses an Endpoint Security Policy.

Navigate to https://endpoint.microsoft.com and select Endpoint security from the menu on the left as shown above.

Then select Attack surface reduction from the options that appear on the right as shown above.

Select Create policy.

Select Platform as Windows 10 and later as shown.

Select Profile as Device Control as shown.

Select Create in the bottom right.

Give the policy a meaningful name and description.

Select Next to continue.

Under the System > Device Installation > Device Installation Restrictions heading locate the Prevent installation of removable devices item and set this to Enabled as shown above.

Select Next to continue.

Scroll down the list of available settings to locate the Device Control section as shown. To prevent ANY new USB from installing ensure this option is set to Not configured.

Select Next to continue.

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

On the summary screen, expand the Administrative Templates option as shown. In here you should see that Prevent installation of removable devices is set to Enabled.

Select Create.

The created policy should now be listed as shown above. Click on it to view.

When the policy has been successfully applied to the devices the policy was assigned to you should see the status of devices as shown above.

Select View report button.

You should now see all the listed that have this policy applied to them as shown above.

If you now try and plug in an unknow USB storage device you may see the above warning. In other cases, you will see no warning but USB device storage will be blocked.

Some points to remember:

1. The above policy is only designed for Windows 10 and above

2. The above policy won’t prevent USB storage devices that have already been used on an endpoint. These need to be removed from the device manager on the device to be blocked in future.

3. Some USB devices that don’t appear as storage devices in fact have a small amount of storage on them (for video and projector drivers for example). These will also be blocked.

4. You can create exceptions to this policy via the device id if you wish.

Removing local device administrators using Endpoint Manager

A best practice to reduce your attack surface on Windows 10/11 devices is to not have any local device administrators. You can achieve this using things like Autopilot, however if devices are added manually to Azure AD by a user then that user becomes a local device administrator by default. You can manually go in and remove them from the local administrators group on the device but Endpoint Manager allows you to do this with a policy.

Navigate to https://endpoint.microsoft.com and login as a tenant administrator. Select Endpoint security from the left menu, then Account protection. Select to Create Policy. Select the option for Windows 10 and later as the platform and then Local user group membership for the profile as shown above. The select Create at the bottom of create the policy.

After you have given the policy a name you should see the options displayed above allowing to select which local group you want to work with.

At the moment, these are the groups you can work with. Here we’ll select Administrators.

and these are actions. Here we’ll select Remove (Update).

All you then need to do is select the users or groups from your Azure AD you wish this actioned on. Beware here, if you want select users removed then you will need to add those users individually not via a group like All users for example. The policy, at least in my experience, doesn’t enumerate a group to include all the users inside that group. Thus, if you select the group All users say, only that exact group will be actioned, not all the users who maybe part of that group. In short, the actions only apply to the unique object ID of the items you select here, not items that maybe contained within them.

You then continue with the policy creation process and assign the policy. With this, you’ll generally want to apply it to devices but you can do users or specific groups if desired as with any Endpoint policy.

Of course, you should test the impact of removing things like local device administration before you implement it widely across your whole environment. You may also want to consider some form of ‘break glass’ account if need be. That too can be done via a policy if you need to.

Once you have completed and save the policy it will be applied to your environment.

To verify the policy has been applied to a device, run the Computer Management utility as shown above. Expand Local Uses and Groups on the left and select Groups below this. Then on the right select Administrators and ensure the desired users don’t appear here.

Endpoint security policies in Endpoint Manager make it easy to configure the main local groups on your Windows 10 devices to help you be more secure.

Another Defender for Endpoint integration

If you visit Microsoft Endpoint Manager | Endpoint Security | Microsoft Defender for Endpoint and scroll down the page on the right you see the new section App Policy Protection Settings as shown above. Turning this ON will basically allow the state of Microsoft Defender on both Android and iOS to feed into your compliance policies.

Once you have enabled these settings visit Apps | App Protection policies and edit or create an policy. During this process you will find a Conditional launch section. If you then scroll down to the bottom of tat page you will the screen shown above where you can add the setting for Max allowed device threat option. This basically is the threat level you would allow on your device. If the threat level on a device goes above this then the selected action will take place. That action can either be Wipe or Block. Wipe is rather drastic, especially to start with, so Block is probably the best starting point.

You can read more about this new capability here:

Microsoft Defender for Endpoint risk signals available for your App protection policies (preview)

It is a nice integration we are beginning to see more of between device management and Defender for Endpoints.