In my last blog post, I talked about how you can block users from using removable storage devices on your MEM-managed Windows 10 devices. However, at times, it may seem to be too restrictive.
What if your only intention is to prevent data loss and thus want to disable any data from being written to the removable storage device, but still want to allow it to be accessed and data being read from it?
Today in this blog post, we will see the 3 different ways via which we can deny write access to the external storage devices on MEM Intune managed Windows 10 endpoints. Let’s get started.
Table of Contents
Way 1: Deny write access to USB drives not protected by Bitlocker with Intune
While configuring Bitlocker policy in Intune, you may have noticed the below section
If you have your Bitlocker policy already configured and deployed and don’t want to modify it, the same can also be configured via Settings Catalog (as a separate policy from Intune) as part of the policy setting Deny write access to drives not protected by BitLocker located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.
I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.
On the endpoint, when this policy is in effect, end-user experience for removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker (protected with the same organization only!), it will be mounted with read and write access.
End-User Experience
When a Removable Storage drive is detected and if it is not already protected by Bitlocker (from the same source as the endpoint is being managed), the user gets the below prompt to choose from – either encrypt the drive to be able to use it to copy data to it, else don’t encrypt and use it as a read-only device.
If the user chooses NOT TO ENCRYPT drive and then TRY a COPY-PASTE action from System -> Removable Drive, this is what gets displayed.
This is also the same behavior that a user should expect when the Removable Drive is protected with Bitlocker but from another Organization. Post unlocking the drive, it is mounted as Read-Only, as such any COPY-PASTE action from System -> Removable Drive results in a similar write-protected prompt.
A good thing to note is that as per my testing, I did not encounter a policy tattooing issue when I removed the profile assignment.
Way 2: Deny write access to USB drives using Settings Catalog with Intune
We can achieve the requirement via Settings Catalog as part of the policy setting “Removable Disk Deny Write Access” as shown below.
I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.
On the endpoint, you can check policy deployment via Event Viewer – DeviceManagement-Enterprise-Diagnostics-Provider
You can also check the policy deployment via Windows Registry as usual.
Once you have checked the policy setting got etched under the PolicyManager, you can see the settings taking effect in its actual location that is as shown below.
End-User Experience
COPY-PASTE action from System -> Removable Drive results in the below prompt.
Even if you have local admin rights, clicking on Continue will result in the below prompt.
The user, be with a Standard or a Local Admin account won’t be able to write to the removable disk till the policy is in effect.
Again a good thing to note is that removing the assignment of this profile does not lead to policy tattooing issues as the setting is reverted back on the endpoint as I have seen during my testing.
Way 3: Deny write access to USB drives using Custom OMA-URI
Create a custom OMA-URI profile with the below details
- Name:
Deny write access to USB - Description:
<Anything as it is not Required type> - OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess - Data Type:
Integer - Value:
1
I created a profile using the above and deployed it to my device. Quick sync and I can see the profile state as Succeeded from the portal.
You can track the policy deployment on the endpoint using the usual methods as already shown above.
End-User Experience
End-user experience is essentially similar to what we have already seen with Way 2 above. [Essentially this is configuring the same policy!]
As such, COPY-PASTE action from System -> Removable Drive results in the below prompt.
The End
In the modern workplace, just about every member owns and uses at least one USB storage device. Nonetheless, the portability and widespread adoption of USB storage devices pose a significant security threat and as an organization, It’s important to safeguard critical business data and prevent data loss.
Reference: