Microsoft Endpoint Manager - Block Removable Storage

In this article I will show you the steps to take to block removable storage using Microsoft Endpoint Manager. There are two options available. You can either restrict or block access to USB drives using Device Control profile in Endpoint Manager. By creating an Endpoint Security Device Control Profile you can define the settings to block USB device access.

Why should you block removable storage?

USB devices are portable and can be connected very easily to devices and form a real security threat. To prevent malware infections, data loss or other security related problems you may want to block certain USB devices.

Steps to take to block Removable Storage using MEM

The first step we are going to take is by creating and Endpoint Security Device Control Profile to block removable storage:

1.) Go to the MEM Admin Center

2.) Select Endpoint Security

3.) Attack Surface Reduction

4.) Create Policy

On the Create a profile window select "Windows 10 and later" as the platform and choose select "Device Control" by the Profile option. Click?"Create".

On the?Basic?tab you can specify the name of the profile. You can also enter a description, so that it is clear to other administrators what the profile is for. Click?"Next".

The?Configuration Settings?tab is the most important section where you can define the settings to block access to removable storage or in this case USB devices. Choose the option "Block removable storage“ and choose "Yes". This way the policy will block the use of removable storage on the devices. Click?"Next".

You can select scope tags in the?Scope tags?section. For this article I do not use scope tags. Click "next".

On the Assignments tab click on "Add groups" and select the group to which you want to deploy the policy. In my case I have created an group "All Users" which contains all devices from all users. You can of course also add an exclusive group. In my case I added the group "Exclude_Admins" so that the administrators are not offered this policy. The devices of all users who are member of the include group will have the removable storage blocked. Click "Next".

On the "Review + Create" page you can review all the settings. Click "Create" to create the policy.

A notification should appear confirming that profile has been created.

When the policy applies successfully to all devices and a user connects removable storage to his device the user will get a warning:

Location is not available. The?drive letter is not accessible. Access is denied.