Forum Discussion
Blocking USB slots in Intune
Hilmar Hi, to force sync you can use this command:
intunemanagementextension://syncapp
I also recommend this feature if you want the refresh to be done more often:
Administrative templates are mostly used for compatibility with Windows 10; if your devices are Windows 11, it is definitely better to use endpoint security, which is the evolution of administrative templates and allows for more modern device management.
If you want to lock the usbs at startup, you will have to go to work on the bios.
Through Intune, some manufacturer (e.g.Dell), gives the ability to create configuration files and then deploy to devices in a centralized wayhttps://learn.microsoft.com/it-it/mem/intune/configuration/bios-configuration
I hope I have been helpful to you
Hilmar Hi, to force sync you can use this command:
intunemanagementextension://syncapp
I also recommend this feature if you want the refresh to be done more often:
Administrative templates are mostly used for compatibility with Windows 10; if your devices are Windows 11, it is definitely better to use endpoint security, which is the evolution of administrative templates and allows for more modern device management.
If you want to lock the usbs at startup, you will have to go to work on the bios.
Through Intune, some manufacturer (e.g.Dell), gives the ability to create configuration files and then deploy to devices in a centralized way
https://learn.microsoft.com/it-it/mem/intune/configuration/bios-configuration
I hope I have been helpful to you
- Hi, I usually assign the policy to a group of users\devices where all the company devices\users are present; then I create a security group (devices\users) and assign as exclusion on the policy; keep in mind that even after the sync it takes a bit of time for what concerns the USB ports.
When you have to go to block\allow only certain devices you will have to go and work on the IDs of these; here you can go and block for example all the printers except those with device ID xxxx-xxx-xxxx- yes, I need to be more patient. Thought "synchronise" means "right now" :o)
20 minutes after sync the test client made a sound, telling me the USB stick is unblocked again.- Unfortunately, there are cloud times in the way 🙂
I hope over time they improve this as well; I'm not saying it has to be in real time but at most 5 minutes on these configurations
micheleariis Hi micheleariis,
thank you for your very helpfull answer.
I have set the config refresh profile and will monitor its work.
Because we mostly use win11 clients, I will stay with the endpoint security.
Thanks a lot.
Have a nice weekend.
Hilmar
- Hi, I'm glad I was helpful; if you'd like to accept my comment as a best response
micheleariis am I guessing right, after I have blocked the USB slots, I cant just open em again by removing the user group out of the policy? Just for testing purposes.
I removed the group-assignment and synchronised again, but the client-USBslots are still blocked.
next step will be to generally allow any camera (by class ID) and in a third step allow just a speciffic camera.
We will see how that works.
