Overview
This knowledge base article provides step-by-step instructions on how to block all removable classes for Windows devices on Microsoft Intune.
Steps
1. Navigate to Microsoft Intune portal, under by platform: Windows, then select Configuration profiles.
2. Select Create > New policy > By platform: Windows 10 and later > Profile type: Settings catalog
3. Enter a name for the policy.
4. Under Configuration settings, select Add settings then in Search for a setting, enter in: Removable Storage Access then click Search. Click on Administrative Templates\System\Removable Storage Access
5. From the dropdown menu on the right column, under "Removable Storage Access", tick the following.
All Removable Storage classes: Deny all access set as Enabled
CD and DVD: Deny execute access set as Enabled
CD and DVD: Deny read access set as Disabled
CD and DVD: Deny write access set as Enabled
Custom Classes: Deny read access set as Disabled
Floppy Drives: Deny execute access set as Enabled
Floppy Drives: Deny read access set as Disabled
Floppy Drives: Deny write access set as Enabled
Removable Disks: Deny execute access set as Enabled
Removable Disks: Deny read access set as Disabled
Tape Drives: Deny execute access set as Enabled
Tape Drives: Deny read access set as Disabled
Tape Drives: Deny write access set as Enabled
WPD Devices: Deny read access set as Disabled
WPD Devices: Deny write access set as Enabled
6. Under Scope tags, select Next.
7. Under Assignments, select an assignment group and select Next.
8. Under Review + create, review all the settings and select Create.
9. Run Sync from Company Portal, plug in a USB to your computer and now you will see that the USB is inaccessible.
