Microsoft Intune – Restrict Copying Corporate Data to USB Device

ByPrajwal Desai Hours

In this post we will see how can we restrict copying corporate data to USB device in Microsoft Intune. With Microsoft Intune we can do endless things and these are very focused on security issues of our devices and user data.

You can restrict copying the data to USB devices in Microsoft Intune by creating a custom profile. Let’s see how to achieve Microsoft Intune USB control. In this post I will show how to prevent our company data in a corporate profile from being used to copy or cut them in removable media.

Microsoft has this article on Prevent data leaks on non-managed devices using Microsoft Intune. Go through the article once as it is very informative.

Microsoft Intune – Restrict Copying Corporate Data to USB Device

Using Microsoft Intune, we will first create a new custom profile. Under the Device Configuration, click Profiles. In the right pane, select Windows 10 and later as Platform and profile as Custom.

Create new custom profile in Microsoft Intune
Create new custom profile in Microsoft Intune

On the custom OMA-URI settings page, we add the following information.

  • Name: USB Disable Access
  • Description: USB Disable Access
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
  • Data Type: Integer
  • Value: 1

Click OK when you add the above info.

Custom OMA-URI Settings
Custom OMA-URI Settings

Next, we assign the settings to our desired groups. After few minutes, the settings should apply the USB restriction policy to our devices.

Restrict Copying Corporate Data to USB Device
Restrict Copying Corporate Data to USB Device

Login to the client computer. Connect a USB device and copy any corporate file.

Example - Copying a content
Example – Copying a content

Go to the USB device and paste the copied content.

Example - Paste the copied content
Example – Paste the copied content

A warning message will appear with a note. You’re trying to copy work protected content to a removable drive. If you select Copy as work protected, it will still not allow the data to be copied over to USB drive.

Restrict Copying Corporate Data to USB Device
Restrict Copying Corporate Data to USB Device

If you select Copy as work protected, in the next step you see destination folder access denied. It also says you will need administrator permissions to copy to this folder. Let’s click Continue.

Restrict Copying Corporate Data to USB Device
Restrict Copying Corporate Data to USB Device

What you now see is same access denied window with Try again button. So this is how in Microsoft Intune, you can restrict copying corporate data to USB Device.

Restrict Copying Corporate Data to USB Device
Restrict Copying Corporate Data to USB Device

I hope you found this post useful. If you have any questions, you can add them in the comments section.

Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

4 Comments

  1. Nice one, it works so nicely. Do you also have one for Copy to MicroSD restriction? It only seems to restrict USB.

    Reply
  2. Avatar photo alapaloza says:

    Is corporate data defined on file level or on device state level?

    Cheers and good post

    Reply

  3. Can this item be scoped to devices or just users?

    Reply

  4. The custom policy actually prevents all USB storage access, not only work data.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *