In this Microsoft Intune post, You will learn how to whitelist USB devices on Windows using Intune.
With Microsoft Intune, we can block read and write access to USB ports and prevent users from using USB.
The problem starts when we also want to allow some USB devices and specific USB hardware to be used on the machine, like USB keyboard, etc.
Using Microsoft Intune, we can do that; we can block USB access and, at the same time, whitelist specific devices.
Whitelist USB Devices on Windows Using Intune
To whitelist USB devices on Windows, we will use Intune Administrative Templates, as you will see.
To whitelist USB devices, create a setting catalog policy and set the values in the table below (see screenshot for more details).
In the catalog, search for the last four values and add the hardware IDs of the devices you would like to whitelist.
Create a configuration profile with the following details.
- Platform – Windows 10 or later
- Profile type – Settings catalog
- Removable Disks – Deny execute access Enabled
- All Removable Storage classes – Deny all access Enabled
- Removable Disks – Deny read access Enabled
- Allow installation of devices that match any of these device IDs – Add the hardware ID for the devices you want to whitelist
Your configuration profile should look like this:
As an optional step, you can add Block untrusted and unsigned processes that run from USB and set it to enabled.