Forum Discussion
Solved
Intune ASR Device Control block removable media
Hello,
I'm trying to block all USB drives (removable media) on Windows devices via Intune using ASR - Device Control settings, while allowing a few exceptions. Blocking works fine, but the exclusions or allowing don't seem to apply. I followed the steps from this video: https://www.youtube.com/watch?v=-0DD_hbIvo0
Also, when modifying the policy, I noticed the new registry values get added but old ones are not removed, so the block remains. I can't manually edit or delete the key at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Device Control`, even as a local admin.
Does this require a Defender for Endpoint license, or is Intune license alone enough?
Appreciate any guidance on the best way to block USBs while allowing specific ones.
Thanks
To use Device Control with allow/block rules (including whitelisting specific USBs), you need a Microsoft Defender for Endpoint P2 license. Intune alone is not sufficient for granular exclusions or full Device Control functionality.
And The registry key at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Device Control
is managed by policy (specifically via MDE), and cannot be modified or deleted even by a local administrator. This is by design to maintain policy integrity.
If old values persist, it usually means:
- The policy update did not overwrite previous entries, or
- The device is still referencing previously applied policies (especially if switching between MDM and GPO).
I think With MDE and Intune:
- Go to Endpoint Security > Device Control > Removable Storage Access policy.
- Set Removable Storage = Block.
- Under Exclusions, add allowed USBs by:
- Vendor ID (VID)
- Product ID (PID)
- Serial Number (if needed)
- You can retrieve these values using PowerShell (Get-PnpDevice) or tools like USBDeview.
Without Defender for Endpoint, Intune does not support USB whitelisting directly.
And Lastly my recommendation ensure your endpoints are:
- Onboarded to Defender for Endpoint,
- Assigned the appropriate Device Control profile, and
- Not receiving conflicting settings from other policy sources (GPO, legacy CSPs, etc.)
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Best regards,
Ali Koc
I agree w/ Ali.
these suggestions should do the trick.To use Device Control with allow/block rules (including whitelisting specific USBs), you need a Microsoft Defender for Endpoint P2 license. Intune alone is not sufficient for granular exclusions or full Device Control functionality.
And The registry key at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Device Control
is managed by policy (specifically via MDE), and cannot be modified or deleted even by a local administrator. This is by design to maintain policy integrity.
If old values persist, it usually means:
- The policy update did not overwrite previous entries, or
- The device is still referencing previously applied policies (especially if switching between MDM and GPO).
I think With MDE and Intune:
- Go to Endpoint Security > Device Control > Removable Storage Access policy.
- Set Removable Storage = Block.
- Under Exclusions, add allowed USBs by:
- Vendor ID (VID)
- Product ID (PID)
- Serial Number (if needed)
- You can retrieve these values using PowerShell (Get-PnpDevice) or tools like USBDeview.
Without Defender for Endpoint, Intune does not support USB whitelisting directly.
And Lastly my recommendation ensure your endpoints are:
- Onboarded to Defender for Endpoint,
- Assigned the appropriate Device Control profile, and
- Not receiving conflicting settings from other policy sources (GPO, legacy CSPs, etc.)
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Best regards,
Ali KocHello Alikoc
Thanks for the receptive reply. I will not be able to use the Device Control, in this case as we do not have MDE license, but just Intune.
Also can you please suggest the best approach to block/allow USB through Intune other than Device Control?
Thanks.
