Block USB Drives via Intune: Step-by-Step

USB flash drives are one of the most overlooked attack vectors in a corporate environment. They're cheap, easy to lose, and can carry malware or walk sensitive data straight out of your building. If your fleet is managed by Microsoft Intune, locking down removable storage takes about five minutes and doesn't require touching a single device.

This guide walks you through creating a Device Control policy using Intune's Attack Surface Reduction (ASR) feature, from the first click in the Admin Centre to verifying it worked on an end-user machine.

Why Block USB Drives?

Removable storage sits at the intersection of two major security risks, data exfiltration and malware delivery. Here's why restricting it should be on every IT team's checklist:

💾

Data Exfiltration

Employees can copy entire folders of sensitive data to a USB drive in seconds, with no audit trail if devices aren't managed.

🦠

Malware Delivery

Infected USB drives are a classic initial access vector. A single plugged-in drive can execute malware before your AV even loads.

📋

Compliance Gaps

Many compliance frameworks (ISO 27001, Cyber Essentials Plus) require controls on removable media. Unmanaged USB access is a common audit finding.

🔍

Shadow IT

Without controls, users can install unauthorised software or run portable apps directly from USB, bypassing corporate security tooling entirely.

ℹ️

Keyboards and mice are not affected

The Device Control policy targets removable storage (USB flash drives, external HDDs). HID devices like keyboards, mice, webcams, and headsets use different device classes and are completely unaffected.

Two Ways to Block USB in Intune

Intune gives you two methods to restrict USB access. Both are valid, your choice depends on how much control you need:

Attack Surface Reduction (ASR), Device Control policy, the quickest route. A single setting blocks write access to all removable storage across your managed fleet. This is what this guide covers.
Intune Remediations (PowerShell script), more flexible, lets you target specific device types or vendor IDs. Better for environments that need to allow certain approved USB devices while blocking others.

Step-by-Step: Creating the ASR Device Control Policy

🛡️ Intune Admin Centre

Step 1, Go to Attack Surface Reduction

Sign into the Intune Admin Centre with a Global Admin or Intune Administrator account. In the left navigation, go to Endpoint Security → Attack Surface Reduction, then click Create Policy.

Intune Admin Centre showing Endpoint Security > Attack Surface Reduction with the Create Policy option

Endpoint Security → Attack Surface Reduction → Create Policy

Step 2, Configure the profile type

On the Create a profile screen, set the following:

Platform Windows 10 and laterApplies to Windows 10 and Windows 11 enrolled devices

Profile type Templates → Device ControlManages access to removable storage and peripheral devices

Click Create to continue.

Select Windows 10 and later → Templates → Device Control

Step 3, Name the policy

On the Basics tab, give the policy a clear name and description so other admins understand its purpose at a glance.

Name Block USB Drives

Description Uses an ASR Device Control policy to block write access to removable storage on all managed Windows devices.

Click Next.

Policy Basics tab with name 'Block USB Drives' and description filled in

Give the policy a clear, descriptive name

Step 4, Configure the USB block setting

On the Configuration Settings tab, expand the Storage category. Find the Removable Disk Deny Write Access setting and set it to Enabled.

⚠️

Enabled vs Disabled, it's counterintuitive

The setting is called Deny Write Access, so setting it to Enabled means you are denying write access (blocking USB). Setting it to Disabled means write access is permitted. The original post had a screenshot showing "Disabled" highlighted, that's the default (allow) state, not what you want.

Configuration Settings showing the Removable Disk Deny Write Access dropdown, set this to Enabled to block USB

Set Removable Disk Deny Write Access to Enabled to block USB write access

✅

Extra hardening, BitLocker protection

If you want to take it further, also enable Deny write access to drives not protected by BitLocker. This allows corporate-issued encrypted USB drives while still blocking all unencrypted consumer drives.

Step 5, Add Scope Tags (optional)

If your organisation uses scope tags to delegate admin responsibilities, add the relevant tags here. Otherwise leave the default and click Next.

Scope tags step in policy creation with default scope tag listed

Scope tags are optional, leave default if you're not using RBAC scoping

Step 6, Assign the policy

On the Assignments tab, click Add groups under Included groups and select the Entra ID group containing the devices or users you want to target. You can target a pilot group first to test the policy before rolling it out org-wide.

Assignments tab showing a group added under Included groups

Assign to a specific group, start with a pilot group before rolling out to all devices

Click Next, review the summary on the final screen, then click Save.

What the End User Sees

Once the policy has synced to a device, any attempt to write to a USB drive will be silently blocked. The user will see an error like this when they try to open or copy files to a removable drive:

🚫

Windows error message

Location is not available.
F:\ is not accessible.
Access is denied.

$Windows error dialog: Location is not available. F:\ is not accessible. Access is denied.$

The error message shown when a user attempts to access a blocked USB drive

The drive will still appear in File Explorer (Windows detects the hardware), but any attempt to read or write to it will be denied. This confirms the ASR Device Control policy is applied and working correctly.

Verifying the Policy Applied

After assigning the policy, wait for the device to sync with Intune (usually 15 minutes to a few hours, you can force a sync via Company Portal or PowerShell). Then verify from two places:

Intune Admin Centre: Go to Endpoint Security → Attack Surface Reduction, find your policy, and check the device check-in status under the Assignments tab.
On the device: Plug in a USB drive and confirm the access denied error appears. You can also check Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceGuard for policy enforcement logs.

✅

Force a sync to test faster

Don't want to wait for the automatic sync cycle? Open the Company Portal app on the device, go to Settings and click Sync. Or run Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoEnrollMDM" -Wait in an elevated PowerShell window.

What This Policy Does and Doesn't Cover

✅ Blocks write access to USB flash drives and external HDDs
✅ Applies to all users on assigned devices regardless of who is logged in
✅ Works on Windows 10 and Windows 11
✅ No agent or additional software required, built into Windows via Defender
❌ Does not block read access by default (use a separate OMA-URI policy for full read block)
❌ Does not target specific USB vendors or product IDs (use Remediations for that)
❌ Does not apply to non-enrolled or BYOD devices

Block USB Drives with Microsoft Intune (Step-by-Step)