Intune :- Block Windows Portable Devices (WPD) in Intune Managed Devices

What is WPD ?

Windows Portable Devices (WPD) enables computers to communicate with attached media and storage devices. WPD provides a flexible, robust way for computers to communicate with music players, storage devices, mobile phones, cameras, and many other types of connected devices.

Why are mobile devices not blocked by removable media policy?

Problem

Even though we have set our removable media policy to block removable media, connecting a mobile phone, media player or similar device allows us to access its contents.

Cause

Devices that are presented through the WPD (Windows Portable Device) interface are not classed as removable media by the operating system and so the filtering of ESET Endpoint Encryption (EEE) does not apply to them. An easy way to check this, is to see if the device has been assigned a drive letter. If it hasn’t, then it will not be blocked by Removable Media Policy.

Solution

You can upload PowerShell script in Endpoint Management to deploy registry key to restrict WPD Devices.

Save below details in .ps1 file.

=============================
Block Read / Write of WPD Devices
=============================
WPD Devices: Deny read access

This registry setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
New-Item 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33}' -Force | Out-Null
ew-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33}' -name 'Deny_Read' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}' -Force | Out-Null
New-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}' -name 'Deny_Read' -value '1' -PropertyType 'DWord' -Force | Out-Null
WPD Devices: Deny write access
This registry setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.

New-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33}' -name 'Deny_Write' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}' -name 'Deny_Write' -value '1' -PropertyType 'DWord' -Force | Out-Null

Sign into the Microsoft Intune Admin or https://endpoint.microsoft.com

Step 1 :- Select Devices Scripts > then click on Add > Select Windows 10

Step 2:- In Basics section, Give it a name , provide description and click on next

Step 3 :- In Script settings section, provide previously created script in Script location and keep other options as default. Then click on Next.

Step 4 :- Create a group in azure active directory or on your local active directory . In Assignments section click on Add groups and Select group to include. Select your group and click on next.

Step 5 :- In Review + add section, click on Add

You will get a success message in your console as below.

Enrolled device will get the policy and WPD devices will be blocked.

Registry Result in Enrolled device

Result 1
Result 2

Screenshot showing blocked mobile device



Categories: AutoPilot, Intune

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: