Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies

Block USB drive access on Windows 10/11 using Microsoft Intune Attack Surface Reduction (ASR) Device Control policies. Step-by-step guide covering policy creation, write/read blocking configuration, group assignments, and deployment monitoring via Intune admin center.

Emanuel DE ALMEIDA

3/13/2026 15 min 0

mediumintune 10 steps 15 min

Overview

USB removable storage is one of the leading vectors for data exfiltration and malware introduction in enterprise environments. Microsoft Intune's Attack Surface Reduction (ASR) Device Control policies let administrators enforce granular read/write restrictions on removable storage across Windows 10/11 endpoints — without requiring third-party tools.

This guide covers the complete configuration: from creating a Device Control policy in the Intune admin center, selecting the correct ASR profile, configuring Removable Disk deny settings, assigning policies to Entra ID groups, and verifying deployment via PowerShell and the Intune dashboard.

Requirements: Microsoft 365 E5 or equivalent (Defender for Endpoint P2), Windows 10/11 devices enrolled in Intune with MDE enabled.

Implementation Guide

Full Procedure

Access Microsoft Intune Admin Center and Navigate to Attack Surface Reduction

Open your web browser and navigate to the Intune admin center. Sign in with your administrative credentials that have Endpoint security permissions.

https://endpoint.microsoft.com

Once logged in, navigate to Endpoint security in the left sidebar, then click on Attack surface reduction. This section contains all the policies for controlling device access and reducing potential attack vectors.

Pro tip: Bookmark the Intune admin center URL for quick access. The interface updates frequently, so familiarize yourself with the current layout.

Verification: You should see the Attack surface reduction dashboard with options to create new policies and view existing ones.

Create a New Device Control Policy

Click the + Create Policy button to start creating your USB blocking policy. You'll be presented with platform and profile options.

Configure the following settings:

Platform: Select "Windows 10, Windows 11, and Windows Server"
Profile: Choose "Device Control"

Click Create to proceed to the policy configuration wizard.

Warning: Ensure you select the correct platform. Device Control policies only work on supported Windows versions with Microsoft Defender for Endpoint enabled.

Verification: The policy creation wizard should open with the "Basics" tab active.

Configure Basic Policy Information

On the Basics tab, provide essential information about your policy:

Name: Enter a descriptive name like "Block USB Write Access - Corporate Devices"
Description: Add details such as "Prevents write access to USB drives to protect against data exfiltration and malware introduction"

Click Next to proceed to the configuration settings.

Pro tip: Use clear, descriptive names that indicate the policy's purpose and scope. This helps with management when you have multiple policies.

Verification: The "Configuration settings" tab should now be active, showing various device control options.

Configure USB Drive Blocking Settings

On the Configuration settings tab, locate the Storage section. Here you'll find the removable disk controls.

For basic USB write blocking, configure:

Removable Disk: Deny Write Access: Set to Enabled

For complete USB blocking (read and write), you can also enable:

Removable Disk: Deny Read Access: Set to Enabled

Configuration Example:
- Removable Disk: Deny Write Access = Enabled
- Removable Disk: Deny Read Access = Not configured (allows reading)
- Other storage options = Not configured

Click Next to proceed to assignments.

Warning: Enabling both read and write denial will completely block USB access. Test this thoroughly before deploying to production devices.

Verification: Your selected options should show as "Enabled" in the configuration summary.

Assign the Policy to Target Groups

On the Assignments tab, you need to specify which devices or users will receive this policy. Click + Add groups to select your target groups.

Choose from:

Device groups: Entra ID security groups containing Windows devices
User groups: Groups containing users whose devices should receive the policy

For testing, start with a small pilot group:

Example Assignment:
- Include: "IT-Pilot-Devices" (security group with 5-10 test devices)
- Exclude: "IT-Admin-Devices" (admin devices that need USB access)

Click Next to review your configuration.

Pro tip: Always test with a pilot group first. Create separate security groups for testing and production rollouts to maintain control over policy deployment.

Verification: Your selected groups should appear in the "Included groups" section with the correct member count.

Review and Create the Policy

On the Review + create tab, carefully review all your policy settings:

Policy name and description
Platform and profile type
Configuration settings (USB blocking options)
Group assignments

If everything looks correct, click Create to deploy the policy.

The policy will now appear in your Attack surface reduction policies list with a status of "Deploying" or "Active".

Warning: Once created, the policy will begin deploying to assigned devices within 5-10 minutes. Ensure your assignments are correct before creating.

Verification: The new policy should appear in your policies list with the correct name and assignment count.

Force Device Synchronization and Monitor Deployment

To speed up policy deployment, force synchronization on target devices. Navigate to Devices > All devices in the Intune admin center.

For each test device:

Select the device from the list
Click Sync in the device overview
Wait for the sync to complete (usually 1-2 minutes)

You can also check sync status using PowerShell on the target device:

# Check last sync time
Get-ScheduledTask | Where-Object {$_.TaskName -like "*EnterpriseMgmt*"} | Get-ScheduledTaskInfo

# Force immediate sync (run as administrator)
Get-ScheduledTask | Where-Object {$_.TaskName -like "*EnterpriseMgmt*"} | Start-ScheduledTask

Monitor deployment status in Endpoint security > Attack surface reduction by clicking on your policy and viewing the device status.

Pro tip: Policies typically take 5-10 minutes to apply, but can take up to 8 hours in some cases. Device restarts can help speed up the process.

Verification: Device status should show "Succeeded" for successfully deployed policies.

Test USB Drive Blocking Functionality

Once the policy is deployed, test the USB blocking functionality on a target device:

Insert a USB drive into the test device
Attempt to copy a file to the USB drive
Verify that write access is denied

Check the Windows Event Viewer for ASR events:

# Open Event Viewer and navigate to:
# Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

# Or use PowerShell to check for ASR events:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1121,1122} -MaxEvents 10

You can also verify connected USB devices using PowerShell:

# List USB mass storage devices
Get-WmiObject Win32_USBControllerDevice | ForEach-Object {[wmi]($_.Dependent)} | Where-Object {($_.Description -like '*mass*')} | Sort-Object Description,DeviceID | Format-Table Description,DeviceID -AutoSize

Warning: If the policy isn't working, check that Microsoft Defender Antivirus is enabled and that the device has successfully synced the policy.

Verification: USB write operations should fail with an access denied error, and Event Viewer should show ASR block events.

Configure Advanced Settings and Exceptions (Optional)

For more granular control, you can create reusable settings with specific device exceptions. Navigate back to your Device Control policy and edit the configuration.

To create exceptions for specific USB devices:

In the policy configuration, click + Add under Reusable settings
Name the setting (e.g., "Approved USB Devices")
Under Device controller, click + Add
Select Removable storage
Add specific device Instance IDs or serial numbers for exceptions

Find USB device Instance ID using PowerShell:

# Get USB device Instance IDs
Get-WmiObject -Class Win32_LogicalDisk | Where-Object {$_.DriveType -eq 2} | ForEach-Object {
    $drive = $_.DeviceID
    Get-WmiObject -Class Win32_LogicalDiskToPartition | Where-Object {$_.Dependent -like "*$drive*"} | ForEach-Object {
        Get-WmiObject -Class Win32_DiskDriveToDiskPartition | Where-Object {$_.Dependent -eq $_.Antecedent} | ForEach-Object {
            Get-WmiObject -Class Win32_DiskDrive | Where-Object {$_.DeviceID -eq ($_.Antecedent.Split('=')[1] -replace '"','')}
        }
    }
} | Select-Object Model, SerialNumber, PNPDeviceID

Pro tip: Use device serial numbers for exceptions rather than Instance IDs when possible, as they're more stable across different systems.

Verification: Excepted devices should maintain full read/write access while other USB drives remain blocked.

Monitor Policy Compliance and Troubleshoot Issues

Regularly monitor your USB blocking policy's effectiveness through the Intune admin center. Navigate to Endpoint security > Attack surface reduction and click on your policy.

Review the following metrics:

Device status: Shows successful, failed, and pending deployments
User status: Displays policy application per user
Per-setting status: Details which specific settings succeeded or failed

Common troubleshooting steps for policy failures:

# Check Windows Defender status
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled

# Verify ASR rules status
Get-MpPreference | Select-Object AttackSurfaceReductionRules_*

# Check device compliance
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled

If devices show as non-compliant:

Verify the device is properly enrolled in Intune
Check that Microsoft Defender for Endpoint is installed and running
Force a device sync and wait 10-15 minutes
Restart the device if necessary

Warning: Inconsistent policy application often indicates licensing issues or incomplete Defender for Endpoint deployment. Verify all prerequisites are met.

Verification: Policy compliance should show 100% success rate for properly configured devices within 24 hours of deployment.

Frequently Asked Questions

How long does it take for Microsoft Intune USB blocking policies to apply to devices?+

Intune USB blocking policies typically apply within 5-10 minutes after deployment, but can take up to 8 hours in some cases. You can force immediate synchronization by selecting target devices in the Intune admin center and clicking 'Sync'. Device restarts can also help speed up policy application. Monitor deployment status through the policy's device status view to track successful application across your organization.

Can administrators bypass USB blocking policies created in Microsoft Intune?+

Microsoft Intune's Attack Surface Reduction USB blocking policies don't include built-in administrator exceptions. To allow admin access, you must create separate security groups for administrative devices and exclude them from the USB blocking policy assignments. Alternatively, you can configure device-specific exceptions using reusable settings with Instance IDs or serial numbers for approved USB devices that administrators need to use.

What's the difference between blocking USB write access versus complete USB blocking in Intune?+

Blocking USB write access prevents users from copying data to USB drives while still allowing them to read files from USB devices, which is useful for software installations or accessing documentation. Complete USB blocking (both read and write denial) prevents all USB drive interaction, providing maximum security but potentially impacting legitimate business operations. Most organizations start with write-only blocking to balance security and usability.

How do you troubleshoot when Intune USB blocking policies aren't working on some devices?+

First, verify that Microsoft Defender Antivirus is enabled on affected devices using 'Get-MpComputerStatus' in PowerShell. Check that devices are properly enrolled in Intune and have synced recently. Force device synchronization through the Intune admin center or use PowerShell to trigger sync tasks. Verify ASR rules are configured correctly with 'Get-MpPreference' and check Windows Event Viewer for ASR events. Device restarts often resolve policy application issues.

What are the licensing requirements for using Microsoft Intune USB device control policies?+

Microsoft Intune USB device control through Attack Surface Reduction policies requires Microsoft 365 E5 or equivalent licensing that includes Microsoft Defender for Endpoint capabilities. Basic Intune licenses don't include the full ASR Device Control features needed for comprehensive USB blocking. Devices must also be enrolled in Intune with Microsoft Defender for Endpoint enabled to support these advanced device control policies.

Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Further Intelligence

Deepen your knowledge with related resources

Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

tutorial

Cybersecurity

Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

Deep Dive

Configure OneDrive Auto Sign-in Using Microsoft Intune

tutorial

Cloud Computing

Configure OneDrive Auto Sign-in Using Microsoft Intune

Deep Dive

tutorial

Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...