New device control capabilities to manage removable storage media access in Microsoft Intune

Not sure why people seem to still have issues with this the documentation is not very good on saying how to set this up.

If you follow the guide I wrote out below it works every time ignore the reporting for a few days though because it seems the reporting lags behind for a while:

What you want to do to set this up is do this ASR Rules/Reusable Settings/ Create Reusable Settings Name it

"Any Removable Media"

Click Add and select removable storage.

in the name field enter: Any Removable Media

then in the PrimaryID Field enter:

RemovableMediaDevices

then click ok next and save it.

next create a new reusable settings Name its USB Whitelist or Authorized USBs whatever you want to call it.

click Add and Select Removable Storage

in the Name Field enter Temporary Entry

in the serial number field just enter 12345678

then click next and save it you will come back to this later to add your USBs you want to whitelist, but we have to have an entry on here to save it and set up the policy.

next go back to the summary tab instead of the reusable settings tab under ASR Select create policy and select windows 10 and later don't select the windows 11, 10 and server as device control is not under that one then selects device control as the type.

In the properties expand the device control settings this is the only ones you need.

Create a new entry

under the include Entry's option select your Any USB selection

then in the exclude option select your whitelist you created

under the edit entry option Name the setting Block Removable Storage

Click Add

for Type Choose Deny for options choose none for access Mask choose read,write,execute

click Add Again for type choose Audit Deny for options choose Send Notification and Event and for Access mask choose read,write,execute

Click OK

Under Device control Click Add again

for Include Entry choose your Whitelist

don't select anything for exclude entry leave it alone

under the edit entry option Name the setting authorized USBs Click Add for Type Choose Allow for options choose none for access Mask choose read,write,execute

click Add Again

for type choose Audit Allow for options choose Send Notification and for Access mask choose read,write,execute

Click OK

Target this policy to a set of devices and when it applies USBs should be restricted except any that you add to the whitelist settings under reusable settings it works best with serial numbers of USB Drives.

All you need to do to add a device to the whitelist is go back to the reusable settings whitelist and add an entry and wait for the settings to apply. It can take awhile to apply.

To verify the settings are applied open registry on any PC that says the settings are applied and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

you should see

a DWORD "DeviceControlEnabled" with a value of 1

a String Named PolicyRules and a string Named PolicyGroups

If you see the 2 string values but not the device control enabled

create a custom URI policy under windows devices in intune and

target this URI

./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

with a integer Value of 1

if all is done right then this should work and block all USB Drives and only allow whitelisted USB drives to be read, write to, and execution on. It also sends off Secuity into to the Microsoft security center that you can audit so if people plug in blocked usbs that gets logged if people copy files to a usb, read files from a usb or run files from a usb that gets logged also