Whitelist USB Devices on Windows Using Intune

In this Microsoft Intune post, I will show you how to whitelist USB devices on Windows using Intune.

With Microsoft Intune, we can block read and write access to USB ports and prevent users from using USB.

The problem starts when we also want to allow some USB devices and specific USB hardware to be used on the machine, like USB keyboard, etc.

Using Microsoft Intune, we can do that; we can block USB access and, at the same time, whitelist specific devices.

Whitelist USB Devices on Windows Using Intune

To whitelist USB devices on Windows, we will use Intune Administrative Templates, as you will see.

To whitelist USB devices, create a setting catalog policy and set the values in the table below (see screenshot for more details).

In the catalog, search for the last four values and add the hardware IDs of the devices you would like to whitelist.

Platform Windows 10 or later
Profile typeSettings catalog
Removable Disks: Deny execute accessEnabled
All Removable Storage classes: Deny all accessEnabled
Removable Disks: Deny read accessEnabled
Allow installation of devices that match any of these device IDsAdd the hardware ID for the devices you want to whitelist
Configuration profile table

You can see in the screenshot below the policies.

As an optional step, you can add Block untrusted and unsigned processes that run from USB and set it to enabled.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.