Test Intune policy applies to device, but has no effect.

Ben Woychowsky 0 Reputation points
Oct 7, 2024, 1:25 PM

Hello.

I have a hybrid AD/Entra environment for a small business and I'm trying to block all USB storage other than approved devices. However, before getting to testing that, I tried testing just blocking all USB devices on one computer using an Intune policy. This was just to ensure I understood how to make and implement an Intune policy. However, while it says that the policy has been applied to that device in the Intune Admin Center, I can use any USB storage on the device without issue.

What was tried: a policy was created under Attack Surface Reduction that enabled "WPD Devices: Deny read access" and "WPD Devices: Deny write access." To my understanding, this should deny read and write access for any removable disks/storage. The policy was targeted at a single device.

My questions:

What licenses are needed for the Intune policy to work? We only have 3 Intune licenses (but far more users, ~70). I am one of the license holders.

What permissions are needed?

Should the policy be targeted at a user rather than a device?

What is the best information to identify USB storage devices for the eventual whitelist?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,409 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 14,870 Reputation points Microsoft Vendor
    Oct 8, 2024, 2:49 AM

    @Ben Woychowsky, Thanks for posting in Q&A.

    Q1. What licenses are needed for the Intune policy to work?

    A1. For Intune policy to work, it need Microsoft Intune Plan 1 and Microsoft Intune Plan 1 is included in the following mentioned in the link.

    https://video2.skills-academy.com/en-us/mem/intune/fundamentals/licenses#microsoft-intune

    Q2. What permissions are needed?

    A2. For Intune policy to work, please be sure the user has been assigned Intune license mentioned in A1, once you have assigned the policy and user was assigned licenses, it can work properly.

    Q3. Should the policy be targeted at a user rather than a device?

    A3. The policy should be targeted at a device.

    Q4. What is the best information to identify USB storage devices for the eventual whitelist?

    A4. You can try to restrict USB devices and allow specific USB devices using Administrative Templates.

    https://video2.skills-academy.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb

    Or you can refer the link below.

    https://www.thewindowsclub.com/how-to-prevent-installation-of-removable-devices-on-windows-10

    Note: Non-Microsoft link, just for the reference.

    Hope above information can be helpful. If there is any update, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.