Share via

USB Block - Attack Surface Reduction

Karthik Palani 60 Reputation points
2025-04-24T12:25:51.5433333+00:00

Hi All,

I am trying to block all removable storage connection from all users and allow only specific Instance ID to be allowed using Attack surface reduction policy as below. I waited almost 6 hours still its allowing all the removable disks. Is the below configuration correct or is there a way to allow only specific USB. Please suggest.

ASR.png

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
491 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 1,155 Reputation points Microsoft Employee
    2025-04-25T08:46:34.26+00:00

    You can use Device Control to: Block All, Allow Some or Block Some:

    From my understanding, you request is to Allow Some: In this case, You will need to

    • Block all activities
    • Specify generic device IDs
    • Exclude the allowed devices
    • And Finally, Allow the specific activities.

    Refer - https://learn.microsoft.com/en-us/defender-endpoint/device-control-walkthroughs

    There can be several reasons why a policy may not work. The steps below will guide you to identify the root cause of the issue.

    Verify minimum requirements

    is the device E3 or E5 enrolled?

    Does the machine have a valid certificate? (If not, the device control policy may not reflect on the endpoint)

    • You can validate this by running the following Powershell command on the machine Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe
    • Check whether the client machine has the policy stored in the Registry
      • If deployed from Intune: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\Device Control\Policy
    • below key value must exist:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdDevFlt\Parameters\EnforcementData\PolicyPackage
      • If this value does not exist, it means there was a problem with retrieving the policy You can aslo Check Policy Application on Devices

    You can also check policy Application Using Intune:

    • Intune Admin Center:
      1. Go to Devices > All devices.
      2. Select a device and check the Device configuration status.
      3. Verify that the configuration profile with the device control policy is listed as Succeeded. If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.