Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,028 questions
DeviceControl Policy for USB block leads to rights / access problems when changing the user
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 6%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
Erik Niemann
0
Reputation points
Hello together!
We distribute a device control policy via Intune that is intended to prevent access to USB flashdrives, with maintenance of an exception list for certain USB devices. The policy is rolled out to the users. This means that the policy works initially and ends up on the client via sync via the company portal.
If I then change the user on the client with admin rights (these are not part of the assignment group for the policy), I then have full access to the USB device. If I then switch back to the normal user, this user has view rights to the usb drive, but cannot read, write or execute. Normally, however, an "Access Denied" is displayed when accessing the drive. The admin account seems to change a system-wide setting here, which then enables this "view" right for all users, regardless of the USB device. Does this have anything to do with the access level (device / file system)? How can I change this so that I have full access with the admin account and none at all with the normal user? Unfortunately, I am currently lacking any approach here and I cannot find anything useful to this topic.
Many thanks in advance for your ideas.
{count} votes
-
Miguel Gonçalves | AVANADE 811 Reputation points2024-06-11T13:35:08.8533333+00:00 Hi Erik,
My suggestion is that you can Use logs to troubleshoot:
- Check Intune logs for policy application details.
- Look for any errors or inconsistencies. USB device control involves a combination of policy settings, user context, and file system permissions. By carefully reviewing these aspects, you can ensure consistent behavior across user accounts.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 17%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
KMudassir 75 Reputation points Microsoft Employee2024-06-26T12:17:29.9933333+00:00 Hi Erik, could you kindly share the policy you've created for us to further investigate? Thanks!
Sign in to comment