Intune USB removable storage block - side effect on remote USB sharing devices
Hi everyone ! We have some constraints compliance-wise to block removable USB storage. Basically, did any of you faced this, and how did you tackle this ? For reference, we enforced the block policy by creating an Intune (no GPO) configuration profile this way for Windows 10 devices: Device configuration profile > Configuration settings > General > Removable storage > Block There are some side-effects on this, as for the hardware USB devices that are onboarding some drivers, those will be blocked. We saw this for some devices regarding remote screen sharing devices. We tried allowing those devices this way with the following policy: Device configuration profile > Administrative Templates > System > Device Installation > Device Installation Restrictions > Allowed device IDs: "<List of hardware IDs>"; Allow installation of devices that match any of these device IDs: "Enabled" But we are still having issues right now. Overall, there seems to be multiple ways to block removable storage USBs on Intune - not always super clear what are the pros/cons for each of them. Is the one currently implemented allow whitelisting specific devices ? And what are your feedbacks on this if you are currently implementing this / already worked on this topic ? Thank you !
Creating ADMX backed Configuration policies
I am trying to figure out how to create an ADMX backed Config Profile in Intune to disable the weather and stock information that is now sent to the Windows 11 lock screen but I cannot get it to work. According to this post, I should use the https://learn.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#disablelockscreenappnotifications CSP. https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#disablelockscreenappnotifications describes the CSP configuration and as it is an ADMX backed policy, it requires SyncML format to configure. Between https://learn.microsoft.com/en-us/windows/client-management/understanding-admx-backed-policies#enabling-a-policy and https://learn.microsoft.com/en-us/windows/client-management/enable-admx-backed-policies-in-mdm, I created a custom Config Profile like below, Name: Disable App Notifications Description: Blank OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications Data Type: String Value: <SyncML xmlns="SYNCML:SYNCML1.2"> <SyncBody> <Replace> <CmdID>2</CmdID> <Item> <Meta> <Format>chr</Format> <Type>text/plain</Type> </Meta> <Target> <LocURI>./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications</LocURI> </Target> <Data><Enabled/></Data> </Item> </Replace> <Final/> </SyncBody> </SyncML> I've deployed it to my user account first and after it failed, I deployed it to my device where it also failed. The event log shows this error in both cases Can anyone please help tell me where I am going wrong? Thanks in advanceShared PC Account Model set to Guest allows more than Guest to logon
The SharedPC CSP (https://learn.microsoft.com/en-us/windows/client-management/mdm/sharedpc-csp) says the AccountModel setting "Configures which type of accounts are allowed to use the PC" and value 0 is only guest with description "Only guest accounts are allowed." When you configure that setting to 0 as described, the Guest option appears at the logon screen, but Other User is still the primary option shown and will accept domain credentials and logon which does not match the documentation. I want only the guest option to be available at the logon screen. If this behavior is the intended behavior and the documentation is wrong, I don't understand why there is also option 2 for that setting which says "Domain-joined and guest accounts are allowed." At present, options 0 and 2 behave the same.
