• Insights

Lesson Learned: Blocking Removable Storage

Marcus Bluestein

< 1 min read

All Insights

As a security measure, we are blocking Removable Storage at Kraft Kennedy. We had expected this to be something easy to implement, but we discovered a significant issue during our testing.

Our original plan was to use Microsoft Endpoint Manager and a Device Restriction, as shown in the screenshot below:

During our initial testing, everything seemed fine. Then we started to test our exception system. Our plan was to create 2 policies.  The Block policy would apply to everyone except our Exception group. The Allow policy would apply only to the Exception group.

It turns out that once Removable Storage is blocked via Configuration Service Provider (CSP) policy, it can’t be unblocked through CSP (Device Restrictions) or by manipulating the registry directly. We are now not going to use CSP and will instead deploy the registry keys (on or off) through Intune. Initial testing seems to confirm this works as expected.

IMPORTANT: All of our test users who had this CSP applied to their computer had to wipe and redeploy their computers using Autopilot. There was no other way to undo the block.

The article linked below explains how Microsoft has started to change CSP settings to work like GPOs. But not all CSPs have been updated to work this way. Removable Storage is a problem (read down into the comments at the bottom).

Changed Intune Policy Processing Behavior on Windows 10 – Modern IT – Cloud – Workplace (oliverkieselbach.com)

To continue to the conversation with our team, please get in touch.

Definitive Guide to Managed Desktop