Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Apr 17, 2025

Removable Media settings tattooed to device

Hello,

I created a policy to block USB Removable Media in Configurations > Templates > Device Restrictions > General to block Removable storage, which successfully blocks USB access. However, removing this setting does not revert the block.

I noticed the following registry key is created in the device:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]
"Deny_All"=dword:00000001
"MDMRegSet"=dword:00000001
"RebootTimeinSeconds_state"=dword:00000001
"RebootTimeinSeconds"=dword:0000012c

Is this the correct registry location for this setting?

Even after manually deleting the key, USB access remains blocked. After a reboot, the registry key reappears, even though the policy is no longer assigned to the device in Intune.

Can anyone confirm if this is the only registry entry involved, or if additional steps are required to fully remove the restriction?

Thanks!

Intune

3 Replies

Sort By
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    Apr 17, 2025

    Yes, that key is the exact location Intune writes when you enable Device Restrictions → Removable storage → Block (Deny_All)


    ADMX‑backed profiles are "tattooed": once the profile is un‑assigned Intune stops managing it but "doesn’t revert the value", so the block survives reboots and the key gets re‑created on every sync 


    Deleting the key manually won’t help—you must push a new policy that sets Deny_All = 0 (or marks the setting "Not configured" via a fresh Device‑Restrictions or custom OMA‑URI profile). After that profile applies and the device syncs/reboots, USB storage is allowed


    Apart from this key, only HKLM\SYSTEM\CurrentControlSet\Services\UsbStor (Start) or Defender Device Control rules could still block USB, but they’re not modified by this setting.  
    If you can’t deploy a “clear” policy, the last resort is a wipe/re‑image, because the tattoo won’t fall off on its own.

    • drivesafely's avatar
      drivesafely
      Brass Contributor
      Apr 21, 2025

      Hello micheleariis 

      Thanks for your response.

      As suggested, I had already created a new policy with all settings set to "Not configured" and excluded the device from the previous policy—but the issue persists.

      It seems the Removable Media Block feature isn’t reliable with just an Intune license due to this behavior. Is there any official Microsoft reference that explains this?

      Thanks again!

  • Bogdan_Guinea's avatar
    Bogdan_Guinea
    Iron Contributor
    Apr 17, 2025

    Hy,

    sometimes the CSPs from MS are unfortunately retained.

    Try to check this registrys also and see if you can find anything realated to your needs.

    This location contains default settings for policies applied through MDM:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers 

    This key stores cached data for CSP nodes:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache

    In order to find you ProviderID check C:\ProgramData\Microsoft\DMClient

    Good luck

Resources