Managing end user device security settings is an integral part of an organization's overall cybersecurity. Microsoft 365 Intune provides technical tools to block end users from installing unwanted USB devices on their PCs.

The Microsoft Intune configuration policies include various settings and configuration features that can either be enabled or disabled on client devices. Microsoft allows IT admins to create profiles that target different types of devices. These include IOS/iPadOS, Android, Android Enterprise, and Windows. Once an administrator creates a policy, it can be assigned to the respective device.

Microsoft has included several built-in templates for various use cases to quickly apply specific settings to the target device in the Intune configuration policies. Below, you can see the various templates available by default in the Intune configuration profiles.

Viewing Intune device configuration profile templates

Viewing Intune device configuration profile templates

Manage security settings with Intune ^

Let's look at a few scenarios for managing security settings with Intune. These include the following:

  • Block USB and removable storage
  • Implement a Windows security baseline
  • Create a compliance policy

All three have similar workflows for creation and configuration, including setting up profiles and applying them to specific devices.

Block USB and removable storage ^

A common task for administrators to help bolster the security of end user devices is controlling and blocking USB and other removable storage. Navigate to the Devices > Configuration profiles blade. Click Create profile.

Create a new configuration profile

Create a new configuration profile

Next, create a profile. This includes selecting the operating system you are targeting, a profile type, and the template name you want to include. Click Create.

Select the platform profile type and template name

Select the platform profile type and template name

The Create profile wizard launches. The first step is naming the profile.

Name the configuration profile

Name the configuration profile

Next, on the Configuration settings screen, search for the term "prevent installation of devices" to find the setting Prevent installation of devices not described by other policy settings. Select this configuration setting.

Find the configuration policy setting to block USB and other devices

Find the configuration policy setting to block USB and other devices

Once you click this configuration setting, click Enabled on the Settings blade.

Enable the policy setting to prevent the installation of devices

Enable the policy setting to prevent the installation of devices

Using scope tags, you can specify a more granular application for the device policy.

Define any scope tags

Define any scope tags

On the Assignments screen, you can add your specific groups for scoping the policy. For example, here I am assigning the policy to the Windows10Computers group.

Assign groups to the configuration policy

Assign groups to the configuration policy

Finally, on the Review + create screen, click Create.

Review and create the configuration policy

Review and create the configuration policy

The Configuration profiles screen now shows the newly created configuration profile.

Block USB configuration policy created successfully

Block USB configuration policy created successfully

The Intune configuration profiles are an effective way to disable access to removable drives, including USB disks. If organizations need to allow specific devices, admins can also add the GUIDs of the device classes that need to be allowed. Microsoft publishes a list of GUIDs for specific device classes here. Add the GUIDs of the device classes you want to allow in the policy setting Allow installation of devices using drivers that match these device setup classes.

Subscribe to 4sysops newsletter!

Conclusion ^

Microsoft Intune can be used to block the installation of unapproved devices on Windows PCs if they are joined to Azure AD, either directly or via a hybrid environment. The tool utilizes profiles for this purpose. They are very easy to use, and they offer similar options to the corresponding settings in Group Policy.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account