MEM - All Things About USB Drive Management and Troubleshooting
Published Mar 05 2021 12:44 AM 11.7K Views



Dear IT Pros,  

Today, we would discuss all things about USB flash drives management including access protection Bitlocker  encryption, AV securityand troubleshooting.

Firstly, we should not reinvent the wheel, so we start with Paul Bergson’s excellent Tech blog article Manage USB Devices on Windows Hosts”,  based on the document, you could use GPO, MEM Configuration Profiles Admx (Administrative Template) for controlling access to USB drives on windows 10 devices. 

I high light the following capabilities of them: 

Managing USB disk drive access by GPO: 

  • To Control Access to USB driveIn Computer Configuration > Policies > Administrative Templates > System > Device Installation > Device Installation RestrictionsTanTran_0-1614926718689.png 
  • To allow only specific USB drives based on Vendor ID or Device ID, you will need to configure at least 2 of the following settings: 



  • You could gather the Device Hardware ID by Windows Device Manager as per Paul Bergson document and enter the information to the policy setting . An example of Hardware ID is shown here: 




During OS plug and play enumeration process, the vendor ID, product ID, and revision number values are obtained from the USB device descriptor and record to Windows RegistryIn the vvvvpppprrrrr key, 

  • vvvv is a 4-digit hexadecimal number that identifies the vendor 
  • pppp is a 4-digit hexadecimal number that identifies the product 
  • rrrr is a 4-digit hexadecimal number that contains the revision number of the device. 




 TIP : To prevent typo error due to the long name with a lot of underscore characters, you could use registry key instead Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR 



  • Tspecify the allow list of USB drivescopy the hardware ID values and paste to the Device ID list in the policy setting named “Allow installation of devices that match any of these device IDs”, as shown here: 




  • To Control USB Drive Access by MEM Administrative Template: 

 You could do the same restriction using Microsoft Endpoint Manager (MEM)- Configuration Profile Administrative Template (admx) 



  • Managing USB Drives by MEM. 
  • To Control USB Access

      - Sign in to the Microsoft Endpoint Manager admin center. 

      - Devices > Configuration profiles > Create profile. 

      - Select Windows 10 and later in Platform, select Administrative Templates in Profile,

      - Create. 

In Basics, enter a descriptive name for the profile in Name. For example, Restrict USB devices. Enter a description for the profile in Description (this setting is optional). Next. 

- In Computer Configuration \ System \ Device Installation \Device Installation Restriction, configure the following settings: 

  • Select Prevent installation of devices not described by other policy settings, and then select Enabled. 



  •  Select Allow installation of devices that match any of these Device IDs, and then select Enabled. Look up the device vendor ID or product ID for devices that you want to allow, and then add the IDs to the list. 




 - In Assignments, select the device groups that will receive the profile, and then select Next. 

 - In Review + create, review your settings.

 - When you select Create, your changes are saved and the profile is assigned. 

 - You could restrict all USB devices by type with class IDs: 

   + Select Allow installation of devices using drivers that match these device setup classes, and then select Enabled. 

    + Add the GUID of device classes that you want to allow. In the following example, Keyboard, Mouse, and Multimedia classes are allowed. 



 USB Flash Drive Security 

- To protect USB drive by Microsoft Defender Antivirus:

   You could use the Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage     for malware. 

   An example of MEM policy for USB removable drive:

  •    Create Device Configuration Profile, Device Restriction for Windows 10 or later platform
  •    Click on Microsoft Defender for Antivirus
  •    Enable "Scan removable drive during a full scan"TanTran_31-1614928317059.png


- To prevent malicious process to be launched from the USB drive:

 You could protect USB drive using Windows Defender Exploit Guard Policy by GPO, MECM (SCCM) or MEM to block untrusted process launched from USB drive in case of the malware file resided in USB drive. 

  • We could use the Attack Surface Reduction (ASR) USB rules to block untrusted and unsigned processes that run from USB, the file types to be blocked include all executable files (such as .exe, .dll, or .scr). 
    •       An example of MEM Configuration Profile\Endpoint Protection\Microsoft Defender Exploit     Guard\Attack Surface Reduction - Untrusted and unsigned processes that run from USB is shown here:


Choose the action : block or audit only (allow the process to be launched but report its activities to Microsoft Defender for Endpoint)


TanTran_11-1614926718702.pngYou can set attack surface reduction rules for devices that are running any of the following  editions and versions of Windows: 

Windows 10 Pro, version 1709 or later 
Windows 10 Enterprise, version 1709 or later 
Windows Server, version 1803 (Semi-Annual Channel) or later 
Windows Server 2019


  • To Allow Read Only to USB for User Group: 

Supposed that you have 2 security group of users, the “USB Read only Users” and the “USB Read and Write Users” created in Azure AD. An User will have Read or Write access depended on the related group membership. 

- To prevent users from writing to the USB drive (Preventing “Copy and paste” of Corporate data from other source to USB drives): 
      - Creating an Endpoint Manager Custom configuration profile for Windows 10 or later  
         Type: Custom,
         OMA-URI: .\User\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess




                - Assign the policy to include group: “USB Read only Users” 

                                                  Exclude group: “USB Read and Write Users” 



  • To Allow Read Only on USB for Device Group: 
    •  You will do the same as the above steps but in Custom OMA-URI, replace the User path with Device path and assign it to the device groups.  
      To prevent devices from writing to the USB drive (Preventing “Copy and paste” of Corporate data from other source to USB drives): 
      Creating an Endpoint Manager Custom configuration profile for Windows 10 or later  
      Type: Custom, OMA-URI 
      Assign the policy to include group: “USB Read only devices” 
                                             Exclude group: “USB Read and Write devices”  



More information: Policy CSP - Storage - Windows Client Management | Microsoft Docs 

  • If you use Bitlocker Encryption for USB, then, do not use the above Deny Write Access policy because it will override the "Deny write access to removable drives not protected by BitLocker" Policy as per the following statement: 

- If the "Removable Disks: Deny write access" group policy setting is enabled this policy (Deny write access to removable drives not protected by BitLocker) setting will be ignored. 

You should use the Bitlocker Deny Write Policy Setting instead. 


  • To Allow Read Only to USB encrypted by Bitlocker: 

Create an Admx configuration profile : 

  • Computer Configuration\Windows Components\Bitlocker Drive Encryption\Removable Data Drives\ 



  • Configure the setting as follow: 



  • O.K 

Testing on Client Workstation, Windows 10: 

When you plug the USB drive into system and the drive was not encrypted by bitlocker before, you will be prompt to encrypt it first before you could use the USB drive. 



Then, you have to enter your secret password to protect the USB from being used by others. USB will be encrypted and ready for use. 



  • Choose the encryption option: 




  • Next, Next,  



Next time, when you plug the Bitlocker USB drive into system, you will need to unlock the drive by your secret password above. 



             Enter password previously setup during bitlocker configuration time:



Monitoring and Audit USB Access: 

  • To view report on activities of USB disk across the organization,  

You could use the M365 Security Center and run the device control report. Records may have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the report card. 

In the Microsoft 365 security center by going to Reports > Device protection. 




         The View details button shows more media usage data in the device control report page. 




  • To Audit USB disk activities 

Hunting USB PnP Device Events: 

In, select the Advanced huntingicon TanTran_25-1614926718680.png


Run query for Device Events related to USB Device (plug and play – PNP device) with extended attributes: 


| where ActionType == "PnpDeviceConnected" 

| extend ParsedFields=parse_json(AdditionalFields) 

|project  ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription), 

DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), DeviceName 


   Hunting for USB drive  and the USB manufacturer is NOTscandisk: 



| where ActionType == "UsbDriveMount"  

| where tolower(tostring(todynamic(AdditionalFields).Manufacturer)) != "scandisk"  

| project USBMountTime = Timestamp, DeviceId,DeviceName , DriveLetter = tolower(tostring(todynamic(AdditionalFields).DriveLetter)), ProductName = tolower(tostring(todynamic(AdditionalFields).ProductName)),Manufacturer = tolower(tostring(todynamic(AdditionalFields).Manufacturer)), SerialNumber = tolower(tostring(todynamic(AdditionalFields).SerialNumber)), AdditionalFields, Timestamp   


- To do Advanced Hunting for USB drives' activities by MDE

  • Use Microsoft Defender for Endpoint \ Advanced hunting, run the query to detect activities of any USB flash disk's usage in your corporate environment. 
  • Detail steps are in the article "

    Advanced hunting updates: USB events, machine-level actions, and schema changes

    | where Timestamp > ago(1d)
    | where ActionType == "UsbDriveMount"
    | project USBMountTime = Timestamp, DeviceId, AdditionalFields
    | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
    | join (
    | where Timestamp > ago(1d)
    | where ActionType == "FileCreated"
    | where FileName endswith ".docx" or FileName endswith ".pptx"
    | parse FolderPath with DriveLetter '\\' *
    | extend DriveLetter = tostring(DriveLetter)
    on DeviceId, DriveLetter
    | where (Timestamp - USBMountTime) between (0min .. 15min)
    | summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
    | where DistinctFilesCopied > 1
    | mv-expand Events
    | extend Timestamp = todatetime(Events.Timestamp), FileName = Events.FileName, AccountName = Events.AccountName, ReportId = tolong(Events.ReportId), AdditionalDriveProperties = Events.AdditionalDriveProperties
  • Make further investigation and response on suspicious USB activity. 
    For Thunderbolt Device included disk driveEnable Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection and blocking DMA until a user signs in. 

Again, you could use the  “Query for Mounted Storage that isn’t approved” of Paul Bergson.  

To view another report example, please refer to the Techblog article Advanced hunting updates: USB events, machine-level actions, and schema changes - Microsoft Tech Com... written by Daniel Naim. 


USB Control for Mac OS: 

According to the Program Team of Microsoft, MEM Endpoint Protection configuration profile to manage USB drive on Mac OS will be available in the future, “It’s in the roadmap. “ 



  • legitimate device is incorrectly blocked 


You may find that USB devices that match the allowed device classes are incorrectly blocked. For example, a camera is blocked although the Multimedia class GUID {4d36e96c-e325-11ce-bfc1-08002be10318} was specified in the Allow installation of devices using drivers that match these device setup classes setting.  






           To fix this issue, follow these steps:  

              - On the Windows 10 device, open the %windir%\inf\ file.  

              - Look for Restricted installation of devices not described by policy in the file,

              - Locate a line that reads Class GUID of device changed to: {GUID} within the same device                       install section.  

In the following example, locate the line that reads Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.  



-  In the device configuration profile, add the class GUID to the Allow installation of devices using drivers that match these device setup classes setting.  

-  If the issue persists, repeat steps 1 to 3 to add the additional class GUIDs until the device can be installed.  

In the example, the following class GUIDs have to be added to the device profile:  

-  {36fc9e60-c465-11cf-8056-444553540000}: USB Bus devices (hubs and host controllers)  

-  {745a17a0-74d3-11d0-b6fe-00a0c90f57da}: Human Interface Devices (HID) 

-  {ca3e7ab9-b4c3-4ae6-8251-579ef933890f}: Camera devices  

-  {6bdd1fc6-810f-11d0-bec7-08002be2092f}: Imaging devices 


  • Could not format a Bitlocker USB drive:  

Once Bitlocker Encrypted the drive and you want to reuse the drive for different purpose without knowing the protected password or the bitlocker recovery password, you have to firstly, clear the write protected attribute using diskpart command as shown here: 



Then, you could format USB as usual.  

In some situation, diskpart command could not clear the attribute, you will get the following warning when you clean the drive: 



If you try to format the USB drive by GUI in File explorer, you still get the warning: 



  • You have to create (if it is not existed) or configure value for the Write Protected Key in Registry, 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies > 

WriteProtect. (DWORD), 

Value: 0  (disabled)  

  • unplug and replug the drive again and do the above dispart command againmore detail is here.   

 Bitlocker Policy error and solutions 

Open Event Viewer and review the following logs under Applications and Services logs\Microsoft\Windows: 

  • Microsoft-Windows-BitLocker-API/BitLocker Operational 
  • Microsoft-Windows-BitLocker-API/BitLocker Management 
  • Microsoft-Windows-BitLocker-DrivePreparationTool/Operational 
  • Microsoft-Windows-BitLocker-DrivePreparationTool/Admin 

More detail: Guidelines for troubleshooting BitLocker - Microsoft 365 Security | Microsoft Docs  




Event ID 846, 778, and 851: Error 0x80072f9a when User encrypts drives on windows 10 version 1809 


install the May 21, 2019 update 

Error message: Conflicting Group Policy settings for recovery options  


Review your BitLocker policy configuration. 

Access denied when User try to encrypt USB drive 

Run BDE Svc command to reset security descriptor of the BitLocker Drive Encryption service (BDESvc) 


Thanks for reading. 

Until next time. 







The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. 


Version history
Last update:
‎Mar 05 2021 08:46 AM
Updated by: