Moving from GPOs and SCCM to Intune and I’ve been searching for the best way to block usb storage devices but not impact the other usb scanners, sigpad, etc that we use.
Microsoft defender has some options to block or protect USB storage. I need to totally block them, and this method of dealing with usb device IDs is not a road I want to go down.
The second option I found was from a blog from Prajwal Desai. I created a custom policy and it worked. But it allows the USB device to connect and you can copy files from the usb stick but not write back to it. Better than nothing but not what I was looking for.
Finally number three looks like it will do what I need. Its working on my test group, now to move my testing to the pilot group and test the allow usb storage device policy.
If you want to disable usb storage using the registry. This method works great, the device doesn’t even show up under ‘my computer’