Occasional Contributor

@all Who has successfully used ASR to Block Removable drives while still allowing several drives using their PID/VID Identifier

2 Replies

@effjaay We recently had a one month long ticket regarding this (With Intune, Windows Engineering team and a lot more members from MS), finally ended up using OMA URI for blocking USB. Here are the settings:


  • From devices-windows- configuration profiles
  • Create a new profile with Platform selected as "Windows 10 and later"
  • Profile type selected as "Templates" and then the template name "custom"
  • Under OMA-URI settings, add the following settings:
    First entry- This is to allow specific usb devices (
    • Name: allow_usb 
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • Data type: String
    • Value: <enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1&#xF000;USBSTOR\DiskSMI_____USB_DISK________1100&#xF000;2&#xF000;USBSTOR\DiskVendorCoProductCode_____2.00&#xF000;3&#xF000;USBSTOR\CdRomImation_Slim_DVD____________"/>

      [The number 1 at the beginning of the value denotes the first device, number 2 as second device and so on]

      Second Entry- For accepting the layered block/allow policies (
    • Name : applied_layered 
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
    • Value: <enabled/><data id="AllowDenyLayered" value="1"/>

      Third Entry- Block devices based on device classes (
    • Name: prevent_installation
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    • Data type: String
    • Value: <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e967-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}"/>

      Fourth Entry- For blocking mobile device but allow USB charging (

    • Name: block_mobile
    • OMA-URI: ./Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice
    • Value: <enabled/><data id="Deny_Read" value="1"/>