Forum Discussion
Block USB Drive by Serial Number
When you see a USB storage device as the origin of a new threat introduced on the network it would be great to block it so it cannot continue to spread.
So far the only thing that works for me is:
- Block by Class ID which blocks all devices within that class, for example all usbs.
- Block all external storage
I would like to block based on serial number. That might be possible creating custom policies through Configuration policy.
Notes:
I do not want to block all USB drives. Auto USB actions already blocked.
3 Replies
Hello robarismail,
Please, check these articles:
Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub
We did it for several customers and it worked well.
"I do not want to block all USB drives. Auto USB actions already blocked." --- you can block only specific USB drives based on their HardwareID, SerialNumberId, etc.
Hello mikhailf,
Thank you for the reply. In the article Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub they are creating 2 "group" XML files and 1 "policy" XML file."
* The first group is the Group XML that will specify the type of mass storage.
* The second group it to modify the XML file for your approved USB list. - Why is this needed, I want to approve all besides the ones I want to block with serial number?
* The third file which is the policy file
Br,
Robar
- This is only an example.
Based on the second link you can build another policy: Specify the type of mass storage, create a group with blocked USBs, and for that group configure the access (Block in your case).
