This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 2%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi all,
I'm trying to block all USB removable media connected to my company's laptops to about security breaches. I'm able to block USB pendrives and external hard drives, but If a connect a mobile phone (Android) to a laptop and set the connection to "File Transfer" or "PTP connection", I'm able to copy files from/to the mobile phone's storage. For the block, I've created a Configuration Profile in InTune only for Windows devices for now, but I'd also want to block MacOS devices.
One of the differences between both type of device connection is that when I connect a USB pendrive or external HD, it creates a new drive and assigns a drive letter, but this doesn't happen with mobile phones.
If I run a KQL query, I see that an external usb drive creates a "UsbDriveMounted" record in the "DeviceEvents" table but this doesn't happen when connecting a mobile phone. In this case, I get a "PnpDeviceConnected" record. The problem with that last record type is that I get it when connecting any USB device. There's a field in the record called "ClassName" in "AdditioinalFields" which identifies mobile phones as "WPD", but I'm not sure yet if this "WPD" identifies only mobile phones or other kind USB devices.
Am I taking the correct approach for this or there's any other easier way of blocking those kind of devices? I've been only able to make tests with an Android device but I'd also like to block iOS devices.
Thanks in advance for your help.
I guess I solved it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Josep Marzo, Thanks for posting in Q&A.
Based on my research, we can create a device control policy for mac to block all USB devices.
Here are some links you can refer.
Non-official, just for reference.
Moreover, if you want to block mobile phones when connected to device, we can configure WPD Devices: Deny read access and WPD Devices: Deny write access settings in Intune policy, which will block phones, media players, auxiliary displays, and CE devices.
Non-official, just for reference.
Hope above information can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @ZhoumingDuan-MSFT . Thanks for your answer. I already found how to block WPD devices. I'll test the solution you've proposed for Mac devices.
@Josep Marzo, Thanks for your reply.
If there is any update, feel free to contact me.
@Josep Marzo, Hope things going well.
May I know the above information is helpful? If there is any update, feel free to contact me.