This post will walk you through Device Control with Microsoft Intune. It is all about controlling access to certain devices or peripherals of Windows.


Device Control can bring the benefit for these requirements:

  • Security: Peripherals connected to your device and operating system can potentially contain malicious software or have an impact on your system. It is a measurement for attack surface reduction.
  • Data protection: Confidential files could be exfiltrated on removable storage media and stay undetected.
  • Inventory compliance: Only approved peripherals should be allowed.
Keep in mind that in terms of data protection you should strive to Azure Information Protection.

If you are interested in the security background, check out Attacks via peripheral devices by Michael Schneider. Simply put:

  • Directy Memory Access > mitigate with Windows Virtualization-Based-Security (VBS) and Secure Boot with DMA
  • Sniffing of TPM > mitigate through Pre-boot authentication of Bitlocker
  • Prevent FireWire and Thunderbolt > GPO "Prevent installation of devices using drivers that match these device setup classes."
  • USB attack in combination with social engineering > Device Control and user education (HID devices may still be used for USB attacks)


There are different approaches when it comes to Device Control. The following are key:

  • Block specific hardware classes - Unused or unwanted hardware classes are disabled
  • Control removable storage - Granularly control read/write access to removable storage medium
  • Allow-/blocklist certain devices - Inventory authority and control

It is important that your organization has clear guidelines regarding Device Control. This will have a significant impact on the end user. Furthermore, you need to prepare clear inventory data and follow a device strategy.

BitLocker allows to configure read-only access to removable storage which is not encrypted - this may be also considered.


Identifying devices

To identify devices you can make use of the device manager. The properties will help to identify the device.


Some device classes may be unused and can be completely blocked, depending on your requirements.

  • FDC
  • FloppyDisk
  • SmartCardReader
  • TapeDrive

Microsoft publishes a list with all setup classes - there you can find the ClassGUID which is needed for the policy.

Reusable settings

Reusable setting groups define a set of device attributes that can be used for multiple policies. This is more convenient and only requires updates at one place. To create this:

  1. Open Intune admin center and go to Endpoint Security>Attack surface reduction and switch the tab to Reusable settings


  1. Specify a name and description, and add>Removable storage (you can add multiple instances), then Edit instance - here you can edit multiple different attributes of storage media


Note, that you can switch to "Match all" or "Match any" at the bottom. This means, that either one attribute within an instance or all must match to apply for this Reusable setting group.

Create Device control policy

A Device control policy is part of Attack surface reduction in Intune, also in the Endpoint Security node. Find all settings and description in the official documentation. You can orientate yourself with my policy.


Please compare the settings with the Microsoft Security Configuration Framework.

Allow list through Reusable settings

Any specific storage devices can be allow-listed in the Device Control policy. Therefore create a Reusable settings group and fill in values that identify the device.

Add this Reusable group as Excluded ID and Edit the Entry.


Notes from the field

  • For inventory control, specifically allow listing storage and device types, I would recommend you to use the VendorID (VID) or VendorID + ProductID (VID_PID), mostly found under the HardwareID property.
  • If you want to block all removable storage, add all related ClassGUIDs:
    • Disk Drivers
    • Storage Volumes
    • Windows Portable Devices (WPD)
  • Bluetooth control should also be considered, as it is a very popular feature and offers attack surface. Learn more
Always test your Device Control policy on test devices, before applying it broadly.

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.