Windows 10: How to block USB Storage devices, but allow specific ones using Intune?

Hi,I'm trying to create a configuration profile with Intune that blocks USB Storage devices, but will allow specific ones based on the Device ID number or serial number. I've tried a number of links including the one below with no luck and the profile I create just blocks all the USB storage devices, even the one that I've specified not to block. Can anybody suggest something for me to try?https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-worldwide#deploying-and-managing-policy-via-intuneThanks,

:)

 

Block USB access, but allow only specific ones (in particular, one USB mass storage device)

In Windows 10 Pro, is there a way to block all USB devices, but allow specific ones?

In particular, I want to allow only one specific USB mass storage device - i.e. one specific vendor model, with a unique serial number.

This article claims that it's possible: Lockdown USB to Specific Removable USB Drives. However it was written in 2010 and the instructions don't seem to work on Windows 10: I couldn't change the permissions of the usbstor.inf file and the machine still mounts previously unseen models of USB sticks.

 

Block USB access, but allow only specific ones (in particular, one USB mass storage device)

Following @Ramhound's suggestion, I got it working using group policy.

The general direction is documented here: Security: Managing Hardware Restrictions via Group Policy | Microsoft Learn

In particular, the "Prevent installation of removable devices" rule is what I need.

So here's a summary of what I ended up doing:

1. In Device Manger, uninstall all USB devices that I don't want, including the ones that are currently not connected - there's an environment variable called DEVMGR_SHOW_NONPRESENT_DEVICES that enables the display of installed, but currently disconnected devices; just search the web for "DEVMGR_SHOW_NONPRESENT_DEVICES";
   
2. Install the USB device that I want; in this case, a USB mass storage device;
   
3. Enable the "Prevent installation of removable devices" rule in Group Policy.
   

Caveat emptor:

1. Group policy probably can't effectively block some devices that don't expose a unique serial ID. E.g if a certain vendor model of USB mass storage device doesn't expose a unique serial ID, and you have installed one, then group policy might allow any other instances of the same vendor model to be mounted. I don't have such a model of USB mass storage device with me, so I can't really verify.
   
2. As far as I understand, USB device IDs are not signed and thus cannot be verified - i.e. if a USB device claims to be a certain device, with a particular serial ID, there is no way for the computer to tell whether that's true. A bad guy could build a USB device with forged USB device ID and forged serial ID, in order to get it accepted by you computer, though even then.
   

With all that said, this solution works if you assume that all your devices expose unique serial IDs and that nobody tries to forge a USB device to get it accepted by your computer.

 

Block ALL Programs Except Allowed Ones

You can block programs using Windows Defender, for example (ignore the strange title):
Please Wait... | Cloudflare

E.g.