This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hi,
I was thinking about something - If you use Intune to lock External Storage and USB and either completely cut off some devices, or use whitelist, that setting ventures to Registry, which means that everyone in the environment who has Administrator access like Helpdesk, can basically remove this policy locally from the machine and plug in an USB - Is there a way to prevent that other than limiting Admin rights to minimum?
I've figured out you can use MDE to run a query to see if someone plugged an USB but that can be too late
I have not tried it but you could try to change the permissions on the usbstor registry key to read only for all users including administrators. In this way no one would be able to edit this registry key.
If you are looking to Block USB drives using Microsoft Intune then you can follow below blog post:
https://techpress.net/block-usb-drives-with-exceptions-using-microsoft-intune/
That could do it.
I've also stumbled upon Microsoft 365 Defender console and andvanced threat hunting. You can run queries there, do you think it's possible to create some sort of event tat would trigger to show when someone plugged external storage and used it? I guess we could see from there who used an unapproved USB, meaning that someone had to leverage registry or use other means to gain access to it
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Heimdallr, Thanks for posting in Q&A. For Intune, it is a cloud service which can help manage device via deploying policies. For the policy it can deploy, it depends on the CSP which windows provided.
After researching, I find the method to block USB is via administrative templates and the CSP also maps to ADMX.
https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-csp-storage
That means on windows side, the block setting is working on the registry key. In fact, Intune can only deploy policy setting to the device. If anyone has permission wants to change the registry key, it can not prevent it. But when the device sync with Intune again, the policy setting will be applied again. The result if a user can change the registry key is determined by the permission it has. Maybe you can see if there's any method from permission side to help you control the user behavior.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I have not tried it but you could try to change the permissions on the usbstor registry key to read only for all users including administrators. In this way no one would be able to edit this registry key.
If you are looking to Block USB drives using Microsoft Intune then you can follow below blog post:
https://techpress.net/block-usb-drives-with-exceptions-using-microsoft-intune/