Overview
This knowledge base article provides step-by-step instructions on allow "Read-only" with deny write access to removable storage for Windows devices with Microsoft Intune.
Steps
1. Navigate to Microsoft Intune portal, select Endpoint Security.
2. Under Manage, select Attack Surface Reduction then select Create Policy > Platform: Windows 10, Windows 11 and Windows Server > Profile: Device Control. Select Create.
3. Provide a name for the policy, select Next.
4. Under Configuration Settings, select the following:
Under Storage, configure Removable Disk Deny Write Access with "Enabled"
Under Connectivity, configure Allow USB Connection with "Allowed"
Under Device Control, configure ID with "Configured"
Select Edit Entry
Enter a name like Allow Read Access
Select the following:
Type: Allow
Options: None
Access mask: Read
Sid: Leave blank
Computer Sid: Leave blank
Select OK.
5. Under Scope tag, select Next.
6. Under Assignments, select the assignments, then select Next.
7. Under Review + create, select Create.
8. Run Sync on Company Portal on the device, then plug in the removable storage.
9. From the Windows device, you will be able to read any contents from the removable storage. You will not be able to write to the removable storage.
An example of "Read" access, you can read any existing files: AppAssociations.xml from the removable storage.
An example of "Write" access, you try to make another copy of AppAssociations.xml to the removable storage. You will get prompted, select Continue.
The message will display as "You need permission to perform this action". You will not be able to write to the removable storage.
