Block Removable Storage with Microsoft Intune

Today in this blog post, we will see how we can leverage Intune to block removable storage drives on the managed Windows 10 endpoints.

But before that, let’s understand why removable storage drives are blocked on many workplaces.

Why many organizations prevent the use of removable storage drives on corporate endpoints

“USB drives offer many advantages for quick and convenient data sharing being compact and handy, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to threats if left unprotected”

• Removable USB drives are almost always an easy carrier of malwares

An infected drive being plugged into a corporate workstation intentionally or unintentionally, can wreak havoc. Depending on the malware type, be it a ransomware which locks down your entire system, or a silent malware that infects your machine quietly, it can do huge damage by the time you’d have noticed it. Such incidents also impacts an organization’s credibility.

The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.

• Removable USB drives are a medium for data breach

Data loss via USB thumb drives isn’t something new. Organizations that allows employees to use USB removable drives to store sensitive information (for work) are always at the risk of data loss if there is no proper data loss control measures in place.

What's more important is that such data breaches often don't get reported and as such remains unnoticed unless it becomes a news headline like the Heathrow airport incident where an airport staff lost a USB stick containing "sensitive personal data" which was later found by a member of the public.

In today’s digital world, the issues of data privacy and data security are a source of significant concern for every organization, regardless of industry.

The concern is not just limited to GDPR/Ransomware but also an organization’s credibility to safeguard its data.

Create Intune policy to disable the use of removable storage drives

In the MEM admin center,

• Navigate to Endpoint security >> Attack surface reduction
• Click Create Policy

• Select Windows 10 and later as Platform
• Choose Device control as Profile
• Click Create

• Give a Name and Description
• Click on Next

You will now have the list of configuration items available. Scroll to find Block removeable storage and set it to Yes

• Add the necessary Scope tag and Assignment and finally click on Create

That’s all from the Intune end. Let’s now see what the user-experience will be like.

End-user Experience

On the test device, you can confirm if the policy has been applied by checking

• the Windows registry as shown below

• or via the MDM Diagnostic report as shown below

Once confirmed that the policy has been applied to the endpoint, if you plug in a USB removable storage drive and try to access it, File Explorer will give you the Drive is not accessible pop-up stating Access is denied.

Here we have not configured any other USB restrictions and as such, the USB ports will continue to function to support other USB devices.

Things to consider – Intune Policy Tattooing

As Microsoft mentions in their documentation

When a profile is removed or no longer assigned to a device, different things can happen, depending on the settings in the profile. The settings are based on the Configuration Service Providers (CSPs), and each CSP can handle the profile removal differently.

Thus, once a particular setting is configured via an Intune MDM policy, by

• removing the policy assignment, or
• putting the user/device in exclusion from the policy assignment,

depending on the CSP responsible to handle the configuration, we may see the particular setting in context will either

• continue to maintain the existing configured state and does not revert back to the OS default unless explicitly set otherwise.

• or it will revert back to the Not configured state (or OS defaults).

The former is what we refer to as policy tattooing and every Intune admin needs to be aware of the same.

In such cases, removing policy assignment or excluding device/user from policy assignment does not mean that the restriction no longer applies to the device. It means that it’s no longer enforced.

Previously all the CSPs followed the tattooing model, but MS worked to change this behavior in Windows and now we do not see the tattooing effect for all the CSPs in general. However, I am not sure from which exact Windows version this was introduced and till what Windows version this will be backported.

Thus, depending on your Windows 10 version, you may get to see/experience different results.

As such, it is very much possible to end up with a tattooed policy as explained above and in such cases, the only resolution would be to assign a new policy in which the setting in context is set to Not configured.

The blocking of removable storage drive is handled via Policy CSP System/AllowStorageCard and in general, as explained above, I have not seen the tattooing behavior for this on my test devices running Windows 10 2004 and 20H2.

If you are on a different Windows version and experience the tattooing behavior, you would then need to explicitly allow the use of removable storage on that device.

This can be easily done with a custom OMA-URI profile configured as below and targeted to the particular device.

OMA-URI	./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard
Data Type	Integer
Value	1

Wrap Up

“Trust takes a lifetime to build but only seconds to break…”

Removable storage devices are one of the most common attack vectors for data breaches. If as an organization, you don’t have the right policies in place, USB drives can potentially be the cause of the downfall of your data security strategy making the organization the next data breach headline.

Don’t be a victim. When it comes to your organization’s security, active prevention is the best strategy.