This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello,
I am trying to create scenario where I set a Hyper-v VM and a DC, to test if I can block USB & Bluetooth in a reasonable way.
I know enhanced session can pass your devices to guest machine...but I am not sure if it is a valid way to test it so I need to understand this in the first place.
Generally, what I try to achieve as my end goal is to:
I'm pretty new to it so I've spinned a trial of Intune + Defender for endpoint, connected the VM to Intune and connected Defender with Intune. Now the settings seem to either be not working, or the Hyper-V is unable to show me real results as this is just a VM, but configuration seems to be applied properly, nothing happens though.
I've tried to start with something simple like - kill Bluetooth and USB to see if it will work at all, but nothing happened.
My setting was: Endpoint Manager>Endpoint security>Attack Surface Reduction>Removable Media
and I've blocked everthing under Connectivity and Bluetooth
Any hint how to make this work, or a working configuration? Also is that Hyper-V even able to give me results I am looking for or I need to get a physical laptop for that?
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Heimdallr, Thanks for posting in Q&A.
For the Hyper-v VM, based on my researching, I didn't find the bluetooth can share with the VM. For USB devices, it can only share in RDP/Enhanced session. To double confirm on this, you can contact Hyper-V support.
To test on the policy, I think it is better to find one physical machine. For your questions, here are my answers for your reference:
Q1: Create a policy that will block all USB usage, but this also raised another question - How to give USB access to certain people? for example service desk, and only to them, while block it for rest.
A1: You can try the "Excluded groups" and select the service desk grou to exclude fromt he policy.
https://video2.skills-academy.com/en-us/mem/intune/configuration/device-profile-assign
Q2: Make sure that bluetooth will allow ONLY day to day devices like headset, mouse - No type of storage or anything that could mess with the system.
A2: You can check if "Bluetooth allowed services" can meet your request.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
That should do, thanks a lot!
Will test these out as soon as I'll get a physical device
@Heimdallr, Thanks for the reply. I am glad the information can help. If there's anything we can help in the later days, feel free to post in our Q&A. We will try our best to help.
Thanks for your time and have a nice day!