A customer asked for us to implement a total USB drive block on a newly deployed Intune environment, as opposed to the usual blocking of ‘write access’ or ‘ensure everything is bitlockered’.
Using ASR within Intune the experience was a bit flakey, in allowing read access regardless of configuration. Lots of blog posts suggesting it should work, I’m not sure why it didn’t behave.
Reviewing their on-prem configuration we were able to put in place the same configuration albeit with one missing option (the Removable Disks: Deny write access that IS in ASR!)
With just the above in place within Intune as below:
I did also put the ASR in for ‘Removable Disks: Deny write access‘ just for belt and braces.
Attempts to plug in and access a USB device are met with a generic ‘Access denied’ windows message.
Whilst there’s nothing wrong with that, it isn’t very intuitive for users, I stumbled upon the Microsoft guidance which recommends a different approach https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb This is much more granular than just Removable Storage. A lot of these settings overlap with the ASR policy configuration too, so we could probably achieve the same there.
I would have preferred to have gone down this route but the risk was that other organisational ‘allows’ such as Cameras could be blocked without sufficient exclusions in place and not knowing the specifics it was better to stick with the on-prem configuration until it could be further reviewed.