Hello everyone! Once we block USB using Intune in case if we have to allow specific USB devices Intune how we can do it? we will discuss in this post.
Prior going to this process make sure you are not blocking USB drive already from Intune. if you do, make sure to unassign them because in this procedure we will block USB access as well.
Steps to Whitelist USB devices from Intune
1. Go to Devices > Configuration profile > Create profile
2. Under Platform select Windows 10 and later and under Profile type select Templates
3. Now select Administrative templates. Click create
4. Name your profile and click Next
5. Click on all settings and search for “Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria” Select Enable radio button and hit OK.
This settings will allow us to setup a hierarchical order of evaluation for policy settings that specify device match criteria which is
Device instance IDs > Device IDs > Device setup class > Removable devices
In my situation i am going to uses device instance ID because I am going to allow only single USB device. But if you have a numerous devices of similar kind you can use setup classes. Which will allow us to input only single GUID of a removable media and all other similar devices will be whitelisted.
6. Now search for “Prevent installation of removable devices” Select Enable radio button and hit OK.
This setting will block all USB storage devices.
7. Now its time to add the exception.
NOTE: For one’s who wants to allow only specific/few number of devices of different kinds, search for “Allow installation of devices that match any of these device instance IDs” . Enable it
For the ones who wants to enable number of devices of similar kinds, search for Allow installation of devices using drivers that match these device setup classes” Enable it.
Now its time to gather the details from the USB device.
How to gather Device Instance ID / GUID or setup class id
1. Plug in the USB device
2. Right click on USB device and click on Properties
3. Click on Hardware and Double click on your USB device
4. Click on Details and click on drop down menu
5. If you are looking for Instance ID, Click on Device Instance path.
If you are looking for setup class, click on Class GUID
6. Once you clicked, copy the outcome and paste it into the section of policy in Intune.
Once you paste the outcome now lets continue the procedure to Allow only authorized USB devices
8. Click OK and click on Next
9, If you do, select scope tag. Otherwise click on Next.
10. Assign the group you want. Once assigned click Select
11. Click next and click create
12 Once created,
Sync the device manually. Either from Intune or from device
For syncing from device Go to Settings > Accounts > Access work or school account > Click on you Azure AD account > Hit Sync
Check if policy is showing succeeded on the device or not. If succeeded, try to input another USB and it will be blocked. Make sure not to Input the USB we gathered Instance/GUID from.