This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 89%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Hi,
We are having issues reverse a USB block to a device, we have a requirement for this user to use USB. We usually block all USB access on all devices.
We added the user and device to the exception for the device profile for USB blocking but the user is still unable to use USB.
We have identified it changes the following registry key:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System
Name: AllowStorageCard
We can set this and USB now works, however on reboot the settings reverse again again.
Is there anyway we can reverse this setting? I really do not want to have to rebuild the machine just for this?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 39%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Did you ever fix this? We're experiencing the same issue...
We have an active ticket with MS but they seem to be going in circles!
Its weird, when the USB drive is blocked - Access Denied. When you revert the blockage, its 'Please insert USB' its like the users have lost permission to READ usb storage but they can LIST it as the USB drive name appears in the File Explorer after removing the block policy... Users just can't READ/WRITE to it...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Did you ever get this resolved by Microsoft?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 39%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Hi,
Did you have any luck fixing this or was there any response from Microsoft?
We are experiencing the same issue. We can block the USB access via Intune. But when we reverse it we get 'Please insert USB' when accessing a USB drive.
Many thanks,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 79%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
We have the same issue.
Does anyone find a solution?
Couple of years late but if helps someone.. Support suggested we disable the 'Storage Service' service on affected computers, this resolved the issues and USB storage access was restored.
Powershell;
Set-Service storsvc -StartupType Disabled
Stop-Service storsvc
I assume if you require the USB storage policies to work, you may need to enable the service again.
Thanks!
I will also try this solution
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Kevin Halstead , From your description, I know our issue is that the Allowstorgecard registry key will reverse back after restarting. If there's any misunderstanding, feel free to let us know.
Here, I have set device configuration policy and done some tests in my lab for the reference:
Creste device restriction configuration profile and set the Removable storage as blocked.
Testgroup1: test1, test2 (User group)
Test group2: test1 (User group)
Test 1
Add testgroup1 into the assignment, after it is deployed successfully, we find the registry key AllowStorageCard created with value 0. Add testgroup2 into the excluded groups. Wait enough time to let the policy applied again. Find the registry key has changed with value 1. Restart the device, the value is not changed.
Test 2
After the above groups are configured, enroll another device into Intune, for this device the Allowstorgecard registry key will not be added.
It seems in my lab, it is working well. We suggest to only keep the device or user in the excluded group. For example. If the block policy is applied to all devices, for the excluded group, we suggest to only keep the device. Remove the user in it.
However, if it is still not working, to clarify our issue, please provide the following information:
Please try the above suggestion and if there's anything unclear, feel free to let us know.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
Thanks for coming back to me.
Test1 is not what is happening for us. We have a Device Profile just to block USB.
We have two groups Block and and Exclude and these have users in them. Not devices.
So the Block USB works and the users have them blocked. We then add users we want to allow later on to the excludes group.
The USB block is not being removed and the reg key is still set to 0. It successfully synces but the policy is not being undone.
We then tried to push this to set it to 1 manually through regedit. It will stay 1 until the user reboots the machine where it goes back to 0.
We set them into the exclude profile about a month ago now.
Test2. This is correct, enrol a device that is excluded seems to be excluded. It just does not seem to undo the policy that is already set.
This is why the last resort is to rebuild the machine which I really don't want to do.
Any advice would be greatly appreciated.
Thanks.
@Kevin Halstead ,, Thanks for the reply. Could you get a screen shot of the Device Profile we configured? And let us know the "Deployment status" of one affected device. Thanks!
HI,
The device is still in the excluded group and is actually in a pending state:
@Kevin Halstead , From the status, we find it is pending. Could you sync the policy under Accounts->Access work or school and see if the result will be different. If the status is still pending, please check the DeviceManagement-Enterprise-Diagnostics-Provider event log to see if there any error related.
Hope it can help.
@Kevin Halstead , How are things going? I am writing to see if there's any update on our issue. If yes, feel free to let us know.
Hi,
Did you have any luck fixing this or was there any response from Microsoft?
We are experiencing the same issue. We can block the USB access via Intune. But when we reverse it we get 'Please insert USB' when accessing a USB drive.
Many thanks,
intune policies after sec. group policies are removed from assignment do not REMOVE the policy, try this:
Launch the Group Policy Management tool on the domain controller, right click Group Policy Objects, click New. Provide a name to the GPO such as Block USB Devices and click OK.
How to disable USB devices using Group Policy
Right-click the GPO and click Edit. This will launch Group Policy Management Editor where you can define the settings to block USB devices for Windows computers.
In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.
Out of all the Removable Storage Access policies, we will configure a setting “All Removable Storage classes: Deny all access“.
All Removable Storage classes: Deny all access: This policy setting allows you to configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. If you enable this policy setting, no access is allowed to any removable storage class. If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
Right-click on the policy setting All Removable Storage classes: Deny all access and click Edit. If you enable this policy, then it will block access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.
regards,
Thiago Beier
https://thebeier.com