- Local password manager with Bitwarden unified - Mon, Feb 6 2023
- Prepare AD synchronization with Azure Active Directory using IdFix - Tue, Jan 31 2023
- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
The Microsoft Intune configuration policies include various settings and configuration features that can either be enabled or disabled on client devices. Microsoft allows IT admins to create profiles that target different types of devices. These include IOS/iPadOS, Android, Android Enterprise, and Windows. Once an administrator creates a policy, it can be assigned to the respective device.
Microsoft has included several built-in templates for various use cases to quickly apply specific settings to the target device in the Intune configuration policies. Below, you can see the various templates available by default in the Intune configuration profiles.
Viewing Intune device configuration profile templates
Manage security settings with Intune
Let's look at a few scenarios for managing security settings with Intune. These include the following:
- Block USB and removable storage
- Implement a Windows security baseline
- Create a compliance policy
All three have similar workflows for creation and configuration, including setting up profiles and applying them to specific devices.
Block USB and removable storage
A common task for administrators to help bolster the security of end user devices is controlling and blocking USB and other removable storage. Navigate to the Devices > Configuration profiles blade. Click Create profile.
Create a new configuration profile
Next, create a profile. This includes selecting the operating system you are targeting, a profile type, and the template name you want to include. Click Create.
Select the platform profile type and template name
The Create profile wizard launches. The first step is naming the profile.
Name the configuration profile
Next, on the Configuration settings screen, search for the term "prevent installation of devices" to find the setting Prevent installation of devices not described by other policy settings. Select this configuration setting.
Find the configuration policy setting to block USB and other devices
Once you click this configuration setting, click Enabled on the Settings blade.
Enable the policy setting to prevent the installation of devices
Using scope tags, you can specify a more granular application for the device policy.
Define any scope tags
On the Assignments screen, you can add your specific groups for scoping the policy. For example, here I am assigning the policy to the Windows10Computers group.
Assign groups to the configuration policy
Finally, on the Review + create screen, click Create.
Review and create the configuration policy
The Configuration profiles screen now shows the newly created configuration profile.
Block USB configuration policy created successfully
The Intune configuration profiles are an effective way to disable access to removable drives, including USB disks. If organizations need to allow specific devices, admins can also add the GUIDs of the device classes that need to be allowed. Microsoft publishes a list of GUIDs for specific device classes here. Add the GUIDs of the device classes you want to allow in the policy setting Allow installation of devices using drivers that match these device setup classes.
Subscribe to 4sysops newsletter!
Conclusion
Microsoft Intune can be used to block the installation of unapproved devices on Windows PCs if they are joined to Azure AD, either directly or via a hybrid environment. The tool utilizes profiles for this purpose. They are very easy to use, and they offer similar options to the corresponding settings in Group Policy.
