Intune manage write access to mobile storage and removable data drives

I was recently working on an assignment to manage windows 10 devices using Microsoft Intune.

One of the ask is to Block the write access to the mobile storage devices when the user plugs into the windows device and

Allow write access to the removal data drives (thumb drives) if they are bitlocker protected.

I started looking into the intune device configuration policy to find the relevant settings.

1. Block the write access to the mobile storage devices on windows device

To block write access to mobile storage, I have found 2 settings under the device restriction, in general tab, which are removable storage and USB connection.

Configuring both settings to block didn't help me.

image

image

Next, reading through the policy CSP in the Microsoft documentation, I have found a few policy settings. Reading through the article Policy CSP - ADMX_RemovableStorage - Windows Client Management | Microsoft Learn found a setting that matches the requirement.

This setting is available as part of the settings catalog.

ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2

 

image

This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.

If you enable this policy setting, write access is denied to this removable storage class.

If you disable or don't configure this policy setting, write access is allowed to this removable storage class.

Let's create the device configuration policy using the settings catalog and assign to the users/device group. I prefer to use a user group rather device in this case.

In the Endpoint Manager portal, windows, device configuration profile, create a new profile Windows - Microsoft Endpoint Manager admin center

Create a new profile and choose settings catalog for profile type

image

Name the policy and provide some description

image

In the configuration settings, click on add settings

image

In the settings picker, search with WPDDevices_DenyWrite, double click on category displayed in the search

image

Select WPD Devices: Deny write access and enable the button.

image

Click on next for scope tags if any.

In the assignment, select the group, you can choose a user group or device group depending on your requirement. Note that, the setting is scoped to the device.

Once the policy is deployed, and received by the device, user can no longer write the data to the mobile storage however the mobile charging will continue to function.

The 2nd request is Allow write access to the removal data drives (thumb drives) only if they are bitlocker protected.

This request can be achieved with the help of endpoint protection or catalog settings just like what we did above.

Again, Go to Endpoint Manager, windows, configuration profiles, and create profile Create a profile - Microsoft Endpoint Manager admin center

Profile type templates and choose Endpoint Protection

image

Give it a name and description

image

Under windows encryption, look for BitLocker removable data-drive settings, select Block

image

Click next for scope tags if any

In the assignment, select the user or device group, click next to review and create the profile.

image

Once the policy is evaluated by the device successfully, the user will be prompted to enable the bitlocker on the removable drive before the data is copied.
User has the flexibility to store the bitlocker key on the device or print it etc.

I hope you find the article useful.

References:

Policy CSP - ADMX_RemovableStorage - Windows Client Management | Microsoft Learn

Leave a Reply