You are looking for a very similar setting in the policy from this video, there is a section for removable storage access and that incorporates those settings
Thanks for a great video! You show: 'RemovableMediaDevices' needs to go into: Name and PID. It should be Name and "PrimaryId" - should it? Worked for me, when changing to "PrimaryID" - Not PID.
"Shona the CEO" wants to be the exception to the rule - most relatable example ever. Not like CEOs are the most targeted in an organisation. 🙄 Great video, there's a lot of MS docs on how to go about blocking USBs but very little about this latest way of doing it. Prior to this, with XML file whitelisting, was an absolute headache to manage at the 1st line, this new method can be resolved by service desk nicely, taking the pressure of infrastructure and modern workplace teams. I'm currently experimenting with MS forms and logic apps to allow a self service USB whitelist process (with approval steps of course). Now we can add them easily to that reusable settings location, it is significantly easier to append to that list. You have a new subscriber.
Thanks Jonathan, ive been using another way, from the configuration setting, have set allow storage card to not allowed, and when i need to exclude a device, i do that using a dynamic device security group but your way seem to be more sophisticated
Thank you Jonathan. A quick remark: In your video you are talking about "Primary ID", but you are posting "RemovableMediaDevices" into „PID“ instead of "Primary ID". AFAIK it should be set under "Primary ID".
Honestly, Jonathan, when I see the relative complexity of the thing, I am happy to manage hybrid environments and therefore to be able to continue easily with gpo's to manage this !
How long does it usually take for you to sync the changes you make and the policies you create? How do you make sure that the sync successfully applied the policy to your endpoint?
For the ones with "old" on-prem environments it could also be done with gpo:s 😊 but great video as usual! To get "all" gpos to m365 before all computers gets migrated could be a video for you, if you don't have it already 😇
Hey Jonathan, I did all the process, on the first one to deny write access, everything got ok, but when I did th rest of the process, exactly like the video, the usb wasn´t get the blocked like before
@@bearded365guy They are all on Intune. I believe they are enrolled in Defender for Business, got a lot of politics on there that are working well. But on this matter, just on the part to deny write access it´s fine. When I go to reusable settings, I can create normally, but when I do like your video, I put the informations of a External HD, the instance path, the politcs go successful but it does not come like a whitelist device like it should
Awesome one. I've created the (almost) same policy last week. I am running this as a pilot. One thing about the Allowed USB from your video. I would assume you would assign this Allowed USB to a new ASR rule which is assigned to the CEOs device, right? Now this USB is allowed on every device.
Be mindful that your existing endpoint security software may already have this functionality. Whilst the M365 suite is good, it's not always the easiest to configure without help (ahem, from his MSP :-) ) to get working.
Hi Jonathan, We have blocked the USB devices from Device Configuration, General, Removable Storage. Is there any advantage of doing the new way that you showed in-the video?
"Does Microsoft Defender Endpoint protection work with Windows Defender activated in EDR Block Mode? I am following the steps in the tutorial, but it's not working as expected."
I encountered an error which I have whitelisted the USB drive which is bitlocker enabled. Somehow I can use a normal laptop to unlock it but it I used the restrict USB policy enabled laptop, I will encountered this error code 0x800700005
Excellent and timely! Could you please assist with blocking the computer and laptop cameras while allowing them to work in Microsoft Teams? Additionally, I need to stop Microsoft Teams from launching at Windows startup. I’ve tried various methods, but it still starts automatically.
Any idea why this policy does apply to a machine I can see the setting in the registry but they can still read and write to USB drives. I only have this policy applied to 1 machine just FYI
Thank you Jonathan. A quick remark: In your video you are talking about "Primary ID", but you are posting "RemoveableMediaDevices" into PID instead of "Primary ID". AFAIK it should be set under "Primary ID".
Hi Jon @bearded365guy Thanks for the great video! Are only USB storage devices affected here or also USB-A/USB-C devices such as USB-C monitors or USB-C/Thunderbolt docking stations or Logitech USB-A Receiver for Keyboards & Mouses or USB-A/C Cameras? In "Option 1 - Block write access", is the transfer from the USB storage device to the device itself is also blocked here, i.e. as you show in the video, you create a document on the USB storage device and open it, what if you now drag this file to the laptop/PC is this prevented by the Intune policy? If not, option 2 would be the right policy to prevent this
Thanks a lots, bull eyes . I hope that you will create a complete playlist for the Intune!!
Does a phone count as a USB storage device? I want to block thumb drives completely, but allow people to copy photos from their phones.
You are looking for a very similar setting in the policy from this video, there is a section for removable storage access and that incorporates those settings
Thanks for a great video!
You show: 'RemovableMediaDevices' needs to go into: Name and PID.
It should be Name and "PrimaryId" - should it?
Worked for me, when changing to "PrimaryID" - Not PID.
Merci Jonathan pour vos tutos. Vous explications sont claires et la démo facile à suivre. Vous faites un excellent travail.
Hi Jonathan, thanks for the perfect lecture it worked as expected !!!, Looking for more videos .
"Shona the CEO" wants to be the exception to the rule - most relatable example ever. Not like CEOs are the most targeted in an organisation. 🙄 Great video, there's a lot of MS docs on how to go about blocking USBs but very little about this latest way of doing it. Prior to this, with XML file whitelisting, was an absolute headache to manage at the 1st line, this new method can be resolved by service desk nicely, taking the pressure of infrastructure and modern workplace teams.
I'm currently experimenting with MS forms and logic apps to allow a self service USB whitelist process (with approval steps of course).
Now we can add them easily to that reusable settings location, it is significantly easier to append to that list.
You have a new subscriber.
Thanks for the comment! And for subscribing!
Thanks Jonathan, ive been using another way, from the configuration setting, have set allow storage card to not allowed, and when i need to exclude a device, i do that using a dynamic device security group but your way seem to be more sophisticated
Thank you Jonathan. A quick remark: In your video you are talking about "Primary ID", but you are posting "RemovableMediaDevices" into „PID“ instead of "Primary ID". AFAIK it should be set under "Primary ID".
That's true! I was wondering why the policy didn't work but this fixed it. Thanks!
Yes, you are right
I love it and I'll looking forward for how to block removable storage on macOS via Intune as well.
Thanks for good content guy.
Yes, that will come soon from me!
Saved the day mate! Thanks!
excellent ,my only concern is this subject policy don't block whole docking stations ,but only usb mass storage
Honestly, Jonathan, when I see the relative complexity of the thing, I am happy to manage hybrid environments and therefore to be able to continue easily with gpo's to manage this !
Oh no!
Thanks ❤❤❤
Thanks for explaining alot of things in 365 and making it easier to understand! U the best 👌
Glad you think so!
Thank you sir for your work for our community
Thank you 🙏
Love your videos. Simple and friendly.
Glad you like them!
How long does it usually take for you to sync the changes you make and the policies you create? How do you make sure that the sync successfully applied the policy to your endpoint?
excellent video again.
Thanks , very helpful
You're welcome!
For the ones with "old" on-prem environments it could also be done with gpo:s 😊 but great video as usual!
To get "all" gpos to m365 before all computers gets migrated could be a video for you, if you don't have it already 😇
Thanks for the tips!
Hey Jonathan, I did all the process, on the first one to deny write access, everything got ok, but when I did th rest of the process, exactly like the video, the usb wasn´t get the blocked like before
All devices in Intune? And enrolled in Defender for Business?
@@bearded365guy They are all on Intune. I believe they are enrolled in Defender for Business, got a lot of politics on there that are working well. But on this matter, just on the part to deny write access it´s fine. When I go to reusable settings, I can create normally, but when I do like your video, I put the informations of a External HD, the instance path, the politcs go successful but it does not come like a whitelist device like it should
Awesome one. I've created the (almost) same policy last week. I am running this as a pilot.
One thing about the Allowed USB from your video. I would assume you would assign this Allowed USB to a new ASR rule which is assigned to the CEOs device, right? Now this USB is allowed on every device.
Yes, you could further tie it down. But what if the CEO has multiple devices?
@@bearded365guyYour are right. Have a nice weekend. Can't wait for your next video.
Is it possible to just allow read for some filetypes on USB?
I don’t think so…
My understanding is that ASR Device Control does not work if Defender is in Passive mode? Is that correct?
Yes….
If I do this will it affect wireless keyboard dongle?
Thanks for this video Jonathan. Are you aware of any solution to block USB for MAC?
Watch out in a few weeks there will be some content that includes this.
Be mindful that your existing endpoint security software may already have this functionality. Whilst the M365 suite is good, it's not always the easiest to configure without help (ahem, from his MSP :-) ) to get working.
Hi Jonathan, We have blocked the USB devices from Device Configuration, General, Removable Storage. Is there any advantage of doing the new way that you showed in-the video?
Both ways will work. I prefer this because our devices all run Defender for Business. If you use 3rd party AV, you’d need to use your way
Thanks, Jonathan, for the clarification. We are not using Defender for Business.
@@remku that will be why…. You can block using config in Intune
"Does Microsoft Defender Endpoint protection work with Windows Defender activated in EDR Block Mode? I am following the steps in the tutorial, but it's not working as expected."
How can I use the exception in this case?
Block for a user, but enable access on request.
You’d have to maybe create some Entra groups called Allowed and Denied then move the user between them on request.
My devices are in intune and running defender for busines but full blocking not working. Two different Tenants not working
It's working after remove reusable settings from Included ID on USB Storage Device Policy. Both Tenants working OK
Thanks a lot for this video!!!
will this also block FIDO keys?
No, it won’t block other USB devices.
I encountered an error which I have whitelisted the USB drive which is bitlocker enabled. Somehow I can use a normal laptop to unlock it but it I used the restrict USB policy enabled laptop, I will encountered this error code 0x800700005
I am trying this in Hybrid mode, haven't fully tested it but I have excluded a couple of people.
Excellent and timely! Could you please assist with blocking the computer and laptop cameras while allowing them to work in Microsoft Teams?
Additionally, I need to stop Microsoft Teams from launching at Windows startup. I’ve tried various methods, but it still starts automatically.
I have tried , ready only works, but step to full blocking not working.
Are your devices in Intune? Running Defender for Endpoint/Business?
@bearded365guy
using Microsoft Premium lics
Any idea why this policy does apply to a machine I can see the setting in the registry but they can still read and write to USB drives. I only have this policy applied to 1 machine just FYI
Thank you Jonathan. A quick remark: In your video you are talking about "Primary ID", but you are posting "RemoveableMediaDevices" into PID instead of "Primary ID". AFAIK it should be set under "Primary ID".
Hi Jon @bearded365guy
Thanks for the great video!
Are only USB storage devices affected here or also USB-A/USB-C devices such as USB-C monitors or USB-C/Thunderbolt docking stations or Logitech USB-A Receiver for Keyboards & Mouses or USB-A/C Cameras?
In "Option 1 - Block write access", is the transfer from the USB storage device to the device itself is also blocked here, i.e. as you show in the video, you create a document on the USB storage device and open it, what if you now drag this file to the laptop/PC is this prevented by the Intune policy? If not, option 2 would be the right policy to prevent this