• Insights

Lesson Learned: Blocking Removable Storage

Marcus Bluestein

< 1 min read

All Insights

As a security measure, Kraft Kennedy has been Blocking Removable Storage since 2021. We had expected this to be something easy to implement, but discovered a significant issue during our testing. We’re sharing lessons learned.

Our original plan was to use Microsoft Endpoint Manager and a Device Restriction, as seen in the screenshot below:

blocking removable storage

During our initial testing, everything seemed fine. Then we started to test our exception system. Our plan was to create two policies. The Block policy would apply to everyone except our Exception group. The Allow policy would apply only to the Exception group.

It turns out that once Removable Storage is blocked via Configuration Service Provider (CSP) policy, it can’t be unblocked through CSP (Device Restrictions) or by manipulating the registry directly. As a result we aren’t using  CSP and will instead deployed the registry keys (on or off) through Intune. Initial testing confirmed this works as expected.

IMPORTANT NOTE: All of our test users who had this CSP applied to their computer had to wipe and redeploy their computers using Autopilot. There was not another way to undo the block.

This article Changed Intune Policy Processing Behavior on Windows 10 – Modern IT – Cloud – Workplace (oliverkieselbach.com) explains how Microsoft has started to change CSP settings to work like Group Policy Objects (GPO). But not all CSPs have been updated to work this way. Removable Storage is a problem (read down the comments at the bottom of the linked article).

To continue to the conversation with our team, please get in touch.

Definitive Guide to Managed Desktop