I was recently working on an assignment to manage windows 10 devices using Microsoft Intune.
One of the ask is to Block the write access to the mobile storage devices when the user plugs into the windows device and
Allow write access to the removal data drives (thumb drives) if they are bitlocker protected.
I started looking into the intune device configuration policy to find the relevant settings.
1. Block the write access to the mobile storage devices on windows device
To block write access to mobile storage, I have found 2 settings under the device restriction, in general tab, which are removable storage and USB connection.
Configuring both settings to block didn't help me.
Next, reading through the policy CSP in the Microsoft documentation, I have found a few policy settings. Reading through the article Policy CSP - ADMX_RemovableStorage - Windows Client Management | Microsoft Learn found a setting that matches the requirement.
This setting is available as part of the settings catalog.
ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
Let's create the device configuration policy using the settings catalog and assign to the users/device group. I prefer to use a user group rather device in this case.
In the Endpoint Manager portal, windows, device configuration profile, create a new profile Windows - Microsoft Endpoint Manager admin center
Create a new profile and choose settings catalog for profile type
Name the policy and provide some description
In the configuration settings, click on add settings
In the settings picker, search with WPDDevices_DenyWrite, double click on category displayed in the search
Select WPD Devices: Deny write access and enable the button.
Click on next for scope tags if any.
In the assignment, select the group, you can choose a user group or device group depending on your requirement. Note that, the setting is scoped to the device.
Once the policy is deployed, and received by the device, user can no longer write the data to the mobile storage however the mobile charging will continue to function.
The 2nd request is Allow write access to the removal data drives (thumb drives) only if they are bitlocker protected.
This request can be achieved with the help of endpoint protection or catalog settings just like what we did above.
Again, Go to Endpoint Manager, windows, configuration profiles, and create profile Create a profile - Microsoft Endpoint Manager admin center
Profile type templates and choose Endpoint Protection
Give it a name and description
Under windows encryption, look for BitLocker removable data-drive settings, select Block
Click next for scope tags if any
In the assignment, select the user or device group, click next to review and create the profile.
Once the policy is evaluated by the device successfully, the user will be prompted to enable the bitlocker on the removable drive before the data is copied.
User has the flexibility to store the bitlocker key on the device or print it etc.
I hope you find the article useful.
References:
Policy CSP - ADMX_RemovableStorage - Windows Client Management | Microsoft Learn