Forum Discussion
Blocking USB slots in Intune
Dear Reader,
because of security reasons, I want to block all the USB slots of our clients.
On different websides I was told to go to Intunes - Devices - Windows - Configuration and create a new "GPO" policy by choosing an administrative template called "prevent installation of devices not described...." and include the user group. In a second step I need to exclude all the hardware I do not want to be blocked, like keyboard, mouse....
But after all that doesn´t seem to work.
After waiting a few hours, in hope the test client would drag the "GPO", I could still use my own USB Stick. (Btw: is there a way to synchronise instead of waiting? Like the old gpupdate /force in cmd? and without the "synchronise" in the company portal?)
After that fail, I did the same in Endpoint security and that works fine. All the USB slots are locked.
So was it just a wrong infromation to do it with a configuration profile?
Where is the difference between configuration profile and endpoint security?
In a next step I want to lock down USB in booting the PC as well. Is that possible?
Thanks a lot for any hint.
Have a nice day.
Hilmar
Hilmar Hi, to force sync you can use this command:
intunemanagementextension://syncapp
I also recommend this feature if you want the refresh to be done more often:
Administrative templates are mostly used for compatibility with Windows 10; if your devices are Windows 11, it is definitely better to use endpoint security, which is the evolution of administrative templates and allows for more modern device management.
If you want to lock the usbs at startup, you will have to go to work on the bios.
Through Intune, some manufacturer (e.g.Dell), gives the ability to create configuration files and then deploy to devices in a centralized wayhttps://learn.microsoft.com/it-it/mem/intune/configuration/bios-configuration
I hope I have been helpful to you
7 Replies
Hilmar Hi, to force sync you can use this command:
intunemanagementextension://syncapp
I also recommend this feature if you want the refresh to be done more often:
Administrative templates are mostly used for compatibility with Windows 10; if your devices are Windows 11, it is definitely better to use endpoint security, which is the evolution of administrative templates and allows for more modern device management.
If you want to lock the usbs at startup, you will have to go to work on the bios.
Through Intune, some manufacturer (e.g.Dell), gives the ability to create configuration files and then deploy to devices in a centralized wayhttps://learn.microsoft.com/it-it/mem/intune/configuration/bios-configuration
I hope I have been helpful to you
- Hi, I usually assign the policy to a group of users\devices where all the company devices\users are present; then I create a security group (devices\users) and assign as exclusion on the policy; keep in mind that even after the sync it takes a bit of time for what concerns the USB ports.
When you have to go to block\allow only certain devices you will have to go and work on the IDs of these; here you can go and block for example all the printers except those with device ID xxxx-xxx-xxxx- yes, I need to be more patient. Thought "synchronise" means "right now" :o)
20 minutes after sync the test client made a sound, telling me the USB stick is unblocked again.
micheleariis Hi micheleariis,
thank you for your very helpfull answer.
I have set the config refresh profile and will monitor its work.
Because we mostly use win11 clients, I will stay with the endpoint security.
Thanks a lot.
Have a nice weekend.
Hilmar
- Hi, I'm glad I was helpful; if you'd like to accept my comment as a best response
