Forum Discussion

Iron Contributor

Apr 15, 2025

Solved

Intune ASR Device Control block removable media

Hello, I'm trying to block all USB drives (removable media) on Windows devices via Intune using ASR - Device Control settings, while allowing a few exceptions. Blocking works fine, but the exclusion...

Intune

Alikoc
Apr 15, 2025
To use Device Control with allow/block rules (including whitelisting specific USBs), you need a Microsoft Defender for Endpoint P2 license. Intune alone is not sufficient for granular exclusions or full Device Control functionality.

And The registry key at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Device Control
is managed by policy (specifically via MDE), and cannot be modified or deleted even by a local administrator. This is by design to maintain policy integrity.
If old values persist, it usually means:
The policy update did not overwrite previous entries, or
The device is still referencing previously applied policies (especially if switching between MDM and GPO).
I think With MDE and Intune:
Go to Endpoint Security > Device Control > Removable Storage Access policy.
Set Removable Storage = Block.
Under Exclusions, add allowed USBs by:
Vendor ID (VID)
Product ID (PID)
Serial Number (if needed)
You can retrieve these values using PowerShell (Get-PnpDevice) or tools like USBDeview.
Without Defender for Endpoint, Intune does not support USB whitelisting directly.
And Lastly my recommendation ensure your endpoints are:
Onboarded to Defender for Endpoint,
Assigned the appropriate Device Control profile, and
Not receiving conflicting settings from other policy sources (GPO, legacy CSPs, etc.)
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Best regards,
Ali Koc

Alikoc

MCT

Apr 15, 2025

To use Device Control with allow/block rules (including whitelisting specific USBs), you need a Microsoft Defender for Endpoint P2 license. Intune alone is not sufficient for granular exclusions or full Device Control functionality.

And The registry key at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Device Control

is managed by policy (specifically via MDE), and cannot be modified or deleted even by a local administrator. This is by design to maintain policy integrity.

If old values persist, it usually means:

The policy update did not overwrite previous entries, or
The device is still referencing previously applied policies (especially if switching between MDM and GPO).

I think With MDE and Intune:

Go to Endpoint Security > Device Control > Removable Storage Access policy.
Set Removable Storage = Block.
Under Exclusions, add allowed USBs by:

Vendor ID (VID)
Product ID (PID)
Serial Number (if needed)

You can retrieve these values using PowerShell (Get-PnpDevice) or tools like USBDeview.

Without Defender for Endpoint, Intune does not support USB whitelisting directly.

And Lastly my recommendation ensure your endpoints are:

Onboarded to Defender for Endpoint,
Assigned the appropriate Device Control profile, and
Not receiving conflicting settings from other policy sources (GPO, legacy CSPs, etc.)

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Best regards,
Ali Koc

drivesafely

Iron Contributor

Apr 15, 2025

Hello Alikoc

Thanks for the receptive reply. I will not be able to use the Device Control, in this case as we do not have MDE license, but just Intune.

Also can you please suggest the best approach to block/allow USB through Intune other than Device Control?

Thanks.