Allowing Specific USB using Intune CSP

Brass Contributor

Dear All,


We have co-managed environment and blocked all removable drives, but we have some requirement to allow specific USB.

We have tried with following CSP url by using Device ID and device Class but there is no luck.


Let me know if anything missin

OMA-URI:- ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
DATA Type :- String
Value : <enabled/><Data id="DeviceInstall_Instance_IDs_Allow_List" value="1&#xF000;USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_GLIDE_3.0&REV_1.00\4C530000260327116325&0"/>

Allow USB- Per ClassID

OMA-URI :- ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
Data Type :- String
Value :- <enabled/><Data id="DeviceInstall_Classes_Allow_List" value="1&#xF000;{4d36e967-e325-11ce-bfc1-08002be10318}"/>

2 Replies



If I am understanding you correctly.... you configured a block policy AND an allow policy for specific USB devices?


I did a blog about this sometime ago maybe it helps you somehow


O Removable Storage, Where Art Thou? - Intune Device Control (



When you applied this policy was it to all users or all devices? We have a user based requirement to block all mass storage devices but we want to allow specific hardware devices. Microsoft is stating we need to scope the policy to devices and not users. I am wondering why the option is available for both if we need to target devices only.