Forum Discussion
Removable Media settings tattooed to device
Yes, that key is the exact location Intune writes when you enable Device Restrictions → Removable storage → Block (Deny_All)
ADMX‑backed profiles are "tattooed": once the profile is un‑assigned Intune stops managing it but "doesn’t revert the value", so the block survives reboots and the key gets re‑created on every sync
Deleting the key manually won’t help—you must push a new policy that sets Deny_All = 0 (or marks the setting "Not configured" via a fresh Device‑Restrictions or custom OMA‑URI profile). After that profile applies and the device syncs/reboots, USB storage is allowed
Apart from this key, only HKLM\SYSTEM\CurrentControlSet\Services\UsbStor (Start) or Defender Device Control rules could still block USB, but they’re not modified by this setting.
If you can’t deploy a “clear” policy, the last resort is a wipe/re‑image, because the tattoo won’t fall off on its own.
Hello micheleariis
Thanks for your response.
As suggested, I had already created a new policy with all settings set to "Not configured" and excluded the device from the previous policy—but the issue persists.
It seems the Removable Media Block feature isn’t reliable with just an Intune license due to this behavior. Is there any official Microsoft reference that explains this?
Thanks again!