Device USB Access Policy Creation Procedure

This admin procedure will provide background information on creating a new device control attack surface reduction rule that revolves around USB access within your organization.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

USB & Removable Storage Device Control

One of the more common ways for malware or data to be exfiltrated from a network is through a simple USB stick. While many people work to secure down their DLP rules for email, its often overlooked to control the use of USB devices. These devices can have lighting fast transfer speeds, making quick work of exfiltrating even the largest of files. Along with data exfiltration, introduction of malware is certainly a concern for USB devices plugged into machines.


Procedure Scope: Administrators

Required Group Membership: Admin.DeviceSecurity


Creating a Device USB Access Policy

  1. Navigate to Attack Surface Reduction – Intune, select Create Policy specify the platform as Windows 10 and Later and the profile type as Device Control due to the procedure revolving around USB Access, select Create to continue.
  2. You will supply basic policy information such as name and description. Click Select to proceed.
  3. All the configuration items related to device control will be listed, we will be focusing on settings related to removable storage devices; USB access handling will be left up to management, deploying any USB access restrictions should only be carried out once technical decision making has been verified. Select Next to continue.
  4. Scope tag selection can be made, it is mainly leveraged with RBAC. Select Next to continue.
  5. You will be able to configure group assignment or exclusion for the policy to effect. Select Next to proceed to revisions.
  6. The review page will allow you to see all configured settings for the device control creation process, if you detect a discrepancy at this stage make note of the section and select Previous to go back to make alterations before finalization. If everything checks out, select Create to publish the application.
  7. Upon successful creation the rule will show up in the list of all attack surface reduction policies managed through Intune.

You're Finished!

You should have successfully created a new device control attack surface reduction rule that will be pushed to the specified onboarded device group; additionally, these settings will specify if any USB devices are allowed to be used on a corporate device. For any other problems or questions, reach out to us!