How to Disable USB ports using Microsoft Intune

Disabling USB ports using Microsoft Intune can be achieved by deploying configuration profiles or custom policies. Here’s a step-by-step guide to achieve this:

---

Scenario 1: Use Endpoint Security Settings

Microsoft Intune’s Endpoint Security configuration can block USB devices by controlling removable storage.

1. Sign in to Microsoft Intune:
   • Go to the Intune Admin Center https://endpoint.microsoft.com.
2. Navigate to Endpoint Security:
   • Go to Endpoint Security > Attack surface reduction.
3. Create a new policy:
   • Click + Create policy.
   • Select the platform as Windows 10 and later.
   • Select the profile as Device Control and click Create.
4. Configure Device Control:
   • Under Removable storage access, configure the following:
     • Block USB devices: Set to Block.
     • Allow USB devices that are encrypted: Optional (if you want to allow encrypted devices).
     • Audit only: Leave this disabled unless you want to monitor usage instead of blocking.
5. Assign the policy:
   • Assign the policy to the desired device or user groups.
   • Review and save the policy.
6. Monitor policy deployment:
   • Go to Monitor under Endpoint Security to ensure the policy is applied successfully.

---

Scenario 2: Use Configuration Profiles (Custom OMA-URI Policy)

If more granular control is required, you can use a custom OMA-URI setting to disable USB ports.

1. Create a Configuration Profile:
   • Go to Devices > Configuration profiles > + Create profile.
2. Select Platform and Profile Type:
   • Platform: Select Windows 10 and later.
   • Profile type: Select Custom.
3. Add OMA-URI Settings:
   • Click Add and configure the following:
     • Name: Disable USB Ports.
     • OMA-URI:

       ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
       

     • Data type: Integer.
     • Value: 1 (to block USB devices).
   • This setting prevents the installation of USB devices unless explicitly allowed by another policy.
4. Assign the Profile:
   • Assign the profile to the desired device groups.
   • Review and deploy the policy.

---

Scenario 3: Block USB via Defender for Endpoint (Advanced Integration)

If you use Microsoft Defender for Endpoint, you can enforce USB restrictions as part of attack surface reduction rules.

1. Sign in to Microsoft Defender Security Center:
   • Go to https://security.microsoft.com.
2. Create a device control policy:
   • Navigate to Settings > Endpoints > Device Control.
   • Configure the policy to block USB devices.
3. Integrate with Intune:
   • Ensure that Defender for Endpoint is integrated with Intune to deploy these policies.

---

Scenario 4: Deploy a PowerShell Script

For custom control, you can deploy a script via Intune to disable USB ports.

1. Write a PowerShell Script:
   • Example script to disable USB storage:

     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4
     

     • Value 4 disables USB storage.
     • Value 3 enables USB storage.
2. Deploy the Script:
   • Go to Devices > Scripts > + Add.
   • Upload the PowerShell script.
   • Assign it to the desired device groups and deploy.

---

Verification

1. Check Policy Deployment:
   • Go to Devices > Monitor > Configuration Profiles or Scripts.
   • Ensure the deployment status shows as Succeeded.
2. Test USB Ports:
   • Insert a USB device on a managed device to confirm the port is disabled.

---

These methods provide various levels of control over USB ports. Depending on your needs (blocking storage, all devices, or allowing exceptions), you can choose the most suitable approach. Let me know if you need further assistance!