Why you should Block USB Drives

A single thumb-drive can smuggle ransomware past every email filter and firewall. Microsoft Defender for Endpoint (MDE) lets you enforce Device Control policies that block or allow removable storage by hardware ID—no extra software, no extra cost. Deploy one Intune policy and unapproved media won’t mount, copy files, or run code.

Prerequisites

• Windows 10/11 Pro or Enterprise

• Microsoft 365 Business Premium or Defender for Business/E3/E5 (includes MDE)

Create and deploy the block policy

1. Intune admin center → Endpoint security > Attack surface reduction > Create policy

   • In the Platform list, select Windows 10, Windows 11, and Windows Server. (Device control is not currently supported on Windows Server, even though you select this profile for device control policies.)

   • In the Profile list, select Device Control.

2. On the Basics tab, specify a name and description for your policy.

3. On the Configuration settings tab, you see a list of settings. Scroll down to Storage and set Removable Disk Deny Write Access to Enabled.

4. Assignments – target a pilot group first; when you’re satisfied, switch to All devices.

5. Create the policy. Within an hour Windows will block any unapproved drive and show an Access is denied message when attempting to access a USB drive.

Notify users

Send a short announcement: “Unapproved USB storage is now blocked for security. If you need a drive for work, request approval from IT”.

Outcome

With a single Intune policy you’ve used Microsoft Defender to block USB drives, closing a classic ransomware and data-leak pathway — no added licences or agents required.

How PlexHosted can help

PlexHosted custom-fits Microsoft security settings—like Device Control—to your environment and deploys them through Intune for you. Book a 30-minute call to learn more.