Disable access to removable storage devices with Intune

In today’s digitized landscape, where security threats loom large, it’s paramount to be proactive in safeguarding your system. While the versatility of USB ports and other removable storage devices is undeniable, they can also serve as gateways for potential security breaches. To fortify your system against malicious software infiltrations, it’s essential to curtail access to these external ports. Microsoft Intune offers an effective solution, allowing you to create a Configuration Service Provider (CSP) and thereby restrict access to removable storage devices. In this guide, we’ll walk you through the process, empowering you to enhance your system’s security and protect against potential vulnerabilities.

USB ports and similar removable storage interfaces are a double-edged sword. While they offer convenience, they can also be avenues for unauthorized access and malware infiltration. By limiting access to these ports, you’re not only safeguarding your data but also mitigating the risk of viruses or other malware that could compromise your security.

Follow these step-by-step instructions to set up the Configuration Profile using Microsoft Intune:

1. **Access the Intune Portal:** Head to [Intune.microsoft.com](https://www.microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans) to access the Intune portal.

2. **Navigate to Configuration Profiles:** Move to **Devices > Windows > Configuration Profiles**.

3. **Create a Profile:** Click on **Create Profile**.

4. **Configure Profile Settings:**

   – Platform: Choose **Windows 10 and later**.

   – Profile Type: Opt for **Template**.

   – Template Name: Assign a meaningful name like **Device Restriction**.

5. **Create the Profile:** Click the **Create** button.

6. **Provide Profile Details:**

   – Enter a descriptive name for the profile.

   – Click **Next**.

7. **Configure Settings:**

   – Navigate to the **General** section.

   – Under **Removable Storage**, switch the parameter to **Block**.

8. **Proceed:**

   – Click **Next**.

9. **Assign the Profile:**

   – Choose the relevant target audience, either **Devices group** or **All devices**.

   – Click **Next**.

10. **Applicability Rules:**

    – Proceed with default settings.

    – Click **Next**.

11. **Review and Finalize:**

    – Review the configuration settings.

    – Click **Create** to finalize the process.

After setting up the Configuration Profile, it’s crucial to verify its successful application:

1. **Access Intune Management Console:** Head to the Intune Management Console.

2. **Navigate to Configuration Profiles:** Go to **Devices > Configuration Profiles**.

3. **View the Profile Report:**

   – Click on your created **Configuration Profile**.

   – At the top of the page, click on **View Report** to ensure the profile is active.

### Confirmation in the Windows Registry

For an additional layer of confirmation:

1. **Access Windows Registry:** Open the **Windows registry** (Regedit).

2. **Navigate to Policy Location:**

   – Navigate to **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices**.

3. **Check Deny_All Value:**

   – Confirm that the **Deny_All** value equals **1**.

By effectively utilizing the Configuration Profile feature offered by Microsoft Intune, you’re taking substantial strides in enhancing your system’s security. Restricting access to removable storage devices is a proactive measure to shield your system from potential vulnerabilities. Follow the steps outlined in this guide to establish this added layer of security and fortify your digital environment against potential security risks.

Leave a comment

Your email address will not be published. Required fields are marked *

6 + 13 =