Blocking usb storage devices with intune

Moving from GPOs and SCCM to Intune and I’ve been searching for the best way to block usb storage devices but not impact the other usb scanners, sigpad, etc that we use.

Microsoft defender has some options to block or protect USB storage. I need to totally block them, and this method of dealing with usb device IDs is not a road I want to go down.

How to control USB devices and other removable media using Intune (Windows 10) | Microsoft Docs

The second option I found was from a blog from Prajwal Desai. I created a custom policy and it worked. But it allows the USB device to connect and you can copy files from the usb stick but not write back to it. Better than nothing but not what I was looking for.

Microsoft Intune – Restrict Copying Corporate Data To USB Device (prajwaldesai.com)

Finally number three looks like it will do what I need. Its working on my test group, now to move my testing to the pilot group and test the allow usb storage device policy.

Blocking Removable storage access in Microsoft Intune (with possible exceptions) – Marcin Szafrankiewicz

BONUS LINK;

If you want to disable usb storage using the registry. This method works great, the device doesn’t even show up under ‘my computer’

How to Disable the Use of USB Storage Devices in Windows 10 (isumsoft.com)