MDE Device Control – USB stick still accessible even after blocking policy applied

hi alex_ri141​ try below

1. Switch to Device Control → Removable Storage Access Control in MDE/Intune.
• Define allow/block rules by Vendor ID or Product ID (from Hardware ID).
• Example: USBSTOR\Disk&Ven_Intenso&Prod_Basic_Line
2. Pilot first with a test group before rolling out org-wide.
3. Combine with auditing/logging to verify rules are applied (check DeviceControl CSP logs or MDE reports).

Ans:

• Correct ID? → Use Hardware ID (or Vendor/Product IDs extracted from it), not just Device Instance ID.
• Installation Restrictions? → Yes, they only stop new driver installs, not block existing devices.
• Use newer Device Control? → Yes — for blocking access to USB storage, use Removable Storage Access Control (MDE Device Control policy).

Migrate from “Device Installation Restrictions” to “Device Control – Removable Storage Access Control” in Intune. That’s the modern, supported way to enforce USB stick allow/deny policies.

Device Installation Restrictions in Intune are often misunderstood because they only affect the process of installing new device drivers, not ongoing access to devices. When you configure a policy to block USB removable storage using this method, Windows will refuse to install drivers for any new, unknown USB storage devices whose identifiers do not match the list of allowed devices. However, if the USB stick was already plugged in before the policy was applied and its driver is present in the driver cache, the policy has no effect and the device remains usable. This explains why your test USB stick still works despite being targeted by your restriction.

The type of identifier you use is also critical. Device Instance IDs are unique to a single device on a machine and are not reliable for policy enforcement across multiple endpoints. Instead, you should use Hardware IDs or Class GUIDs. Hardware IDs consistently identify the device type and model across endpoints, while Class GUIDs identify the entire device class, such as USB storage. When using Device Installation Restrictions, these are the supported and reliable identifiers.

For your actual requirement of blocking all USB storage devices except those explicitly approved, Microsoft recommends using the Microsoft Defender for Endpoint Device Control feature, specifically the Removable Storage Access Control policies. This is a newer approach that operates at the kernel level, intercepting device access even if the driver is already installed. It allows you to create global block rules for all removable storage and then carve out allow rules for specific hardware based on serial number, vendor ID, product ID, or hardware ID. Unlike installation restrictions, these rules can enforce real-time access control, including read-only or full deny actions, which is far more effective in production environments.

In practice, this means you should treat Device Installation Restrictions as a legacy, niche control that is useful for preventing users from adding entirely new classes of devices but not for blocking devices already in use. For a robust and modern USB control strategy, configure Defender for Endpoint Device Control policies through Intune or Security Management. This approach ensures that your test scenario, blocking all removable storage except for an explicitly allowed USB stick, will work consistently across all endpoints, regardless of whether the device driver is already present.