Deny Write access to USB drives with MEM Intune

Deny Write access to USB drives with MEM Intune

In my last blog post, I talked about how you can block users from using removable storage devices on your MEM-managed Windows 10 devices. However, at times, it may seem to be too restrictive.

What if your only intention is to prevent data loss and thus want to disable any data from being written to the removable storage device, but still want to allow it to be accessed and data being read from it?

Today in this blog post, we will see the 3 different ways via which we can deny write access to the external storage devices on MEM Intune managed Windows 10 endpoints.  Let’s get started.

Way 1: Deny write access to USB drives not protected by Bitlocker with Intune

While configuring Bitlocker policy in Intune, you may have noticed the below section

 Deny write access to USB drives not protected by Bitlocker with Intune
Deny write access to USB drives not protected by Bitlocker with Intune

If you have your Bitlocker policy already configured and deployed and don’t want to modify it, the same can also be configured via Settings Catalog (as a separate policy from Intune) as part of the policy setting Deny write access to drives not protected by BitLocker located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

Deny write access to USB drives not protected by Bitlocker with Intune via a separate Settings Catalog profile
Deny write access to USB drives not protected by Bitlocker with Intune via a separate Settings Catalog profile

I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.

Check profile deployment status from MEM portal
Check profile deployment status from MEM portal

On the endpoint, when this policy is in effect, end-user experience for removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker (protected with the same organization only!), it will be mounted with read and write access.

End-User Experience

When a Removable Storage drive is detected and if it is not already protected by Bitlocker (from the same source as the endpoint is being managed), the user gets the below prompt to choose from – either encrypt the drive to be able to use it to copy data to it, else don’t encrypt and use it as a read-only device.

End-User Experience -   Deny write access to USB drives not protected by Bitlocker with Intune
End-User Experience – Deny write access to USB drives not protected by Bitlocker with Intune

If the user chooses NOT TO ENCRYPT drive and then TRY a COPY-PASTE action from System -> Removable Drive, this is what gets displayed.

 Deny write access to USB drives not protected by Bitlocker with Intune
Deny write access to USB drives not protected by Bitlocker with Intune

This is also the same behavior that a user should expect when the Removable Drive is protected with Bitlocker but from another Organization. Post unlocking the drive, it is mounted as Read-Only, as such any COPY-PASTE action from System -> Removable Drive results in a similar write-protected prompt.

A good thing to note is that as per my testing, I did not encounter a policy tattooing issue when I removed the profile assignment.

Way 2: Deny write access to USB drives using Settings Catalog with Intune

We can achieve the requirement via Settings Catalog as part of the policy setting “Removable Disk Deny Write Access” as shown below.

Deny write access to USB drives using Settings Catalog with Intune
Deny write access to USB drives using Settings Catalog with Intune

I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.

Check profile deployment status from MEM portal
Check profile deployment status from MEM portal

On the endpoint, you can check policy deployment via Event Viewer – DeviceManagement-Enterprise-Diagnostics-Provider

Check policy deployment via Event Viewer - DeviceManagement-Enterprise-Diagnostics-Provider
Check policy deployment via Event Viewer – DeviceManagement-Enterprise-Diagnostics-Provider

You can also check the policy deployment via Windows Registry as usual.

 Check the policy deployment via Windows Registry - RemovableDiskDenyWriteAcess
Check the policy deployment via Windows Registry – RemovableDiskDenyWriteAcess

Once you have checked the policy setting got etched under the PolicyManager, you can see the settings taking effect in its actual location that is as shown below.

Check the policy deployment via Windows Registry - HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices
Check the policy deployment via Windows Registry – HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

End-User Experience

 COPY-PASTE action from System -> Removable Drive results in the below prompt.

End-User Experience -   Deny write access to USB drives via Settings Catalog
End-User Experience – Deny write access to USB drives via Settings Catalog

Even if you have local admin rights, clicking on Continue will result in the below prompt.

End-User Experience -   Deny write access to USB drives via Settings Catalog
End-User Experience – Deny write access to USB drives via Settings Catalog

The user, be with a Standard or a Local Admin account won’t be able to write to the removable disk till the policy is in effect.

Again a good thing to note is that removing the assignment of this profile does not lead to policy tattooing issues as the setting is reverted back on the endpoint as I have seen during my testing.

Way 3: Deny write access to USB drives using Custom OMA-URI

Create a custom OMA-URI profile with the below details

  • Name: Deny write access to USB
  • Description: <Anything as it is not Required type>
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
  • Data Type: Integer
  • Value: 1
Deny write access to USB drives using Custom OMA-URI
Deny write access to USB drives using Custom OMA-URI

I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.

Check profile deployment status from MEM portal
Check profile deployment status from MEM portal

You can track the policy deployment on the endpoint using the usual methods as already shown above.

End-User Experience

End-user experience is essentially similar to what we have already seen with Way 2 above. [Essentially this is configuring the same policy!]

As such, COPY-PASTE action from System -> Removable Drive results in the below prompt.

 End-User Experience - Deny write access to USB drives using Custom OMA-URI
End-User Experience – Deny write access to USB drives using Custom OMA-URI

The End

In the modern workplace, just about every member owns and uses at least one USB storage device. Nonetheless, the portability and widespread adoption of USB storage devices pose a significant security threat and as an organization, It’s important to safeguard critical business data and prevent data loss.

Reference: