question

KevinHalstead-6118 avatar image
0 Votes"
KevinHalstead-6118 asked JoseCruz-7764 published

Intune USB Block unable to reverse change

Hi,

We are having issues reverse a USB block to a device, we have a requirement for this user to use USB. We usually block all USB access on all devices.
We added the user and device to the exception for the device profile for USB blocking but the user is still unable to use USB.

We have identified it changes the following registry key:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System
Name: AllowStorageCard

We can set this and USB now works, however on reboot the settings reverse again again.

Is there anyway we can reverse this setting? I really do not want to have to rebuild the machine just for this?

Thanks.

mem-intune-generalmem-intune-device-configurations
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you ever fix this? We're experiencing the same issue...

  • I've created a OMA-URI policy to revert the block setting - it applies ok registry sets back to 0

  • I've excluded groups from the initial policy (tried with User and Device groups)

  • I've checked other USB blocking registry locations - all OK

  • I've checked INF USBStor driver for Access to USB storage - Access appears OK


We have an active ticket with MS but they seem to be going in circles!

Its weird, when the USB drive is blocked - Access Denied. When you revert the blockage, its 'Please insert USB' its like the users have lost permission to READ usb storage but they can LIST it as the USB drive name appears in the File Explorer after removing the block policy... Users just can't READ/WRITE to it...





0 Votes 0 ·

Did you ever get this resolved by Microsoft?

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@KevinHalstead-6118, From your description, I know our issue is that the Allowstorgecard registry key will reverse back after restarting. If there's any misunderstanding, feel free to let us know.

Here, I have set device configuration policy and done some tests in my lab for the reference:

Creste device restriction configuration profile and set the Removable storage as blocked.
Testgroup1: test1, test2 (User group)
Test group2: test1 (User group)

Test 1
Add testgroup1 into the assignment, after it is deployed successfully, we find the registry key AllowStorageCard created with value 0. Add testgroup2 into the excluded groups. Wait enough time to let the policy applied again. Find the registry key has changed with value 1. Restart the device, the value is not changed.

Test 2
After the above groups are configured, enroll another device into Intune, for this device the Allowstorgecard registry key will not be added.

It seems in my lab, it is working well. We suggest to only keep the device or user in the excluded group. For example. If the block policy is applied to all devices, for the excluded group, we suggest to only keep the device. Remove the user in it.

However, if it is still not working, to clarify our issue, please provide the following information:
1. Please check the status for the affected device under the device configuration profile.
2. How did we set to make the USB work?Could you make a more details description? what is the registry key value of AllowStorageCard after rebooting?

Please try the above suggestion and if there's anything unclear, feel free to let us know.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KevinHalstead-6118 avatar image
0 Votes"
KevinHalstead-6118 answered Crystal-MSFT commented

Hi,

Thanks for coming back to me.

Test1 is not what is happening for us. We have a Device Profile just to block USB.
We have two groups Block and and Exclude and these have users in them. Not devices.
So the Block USB works and the users have them blocked. We then add users we want to allow later on to the excludes group.
The USB block is not being removed and the reg key is still set to 0. It successfully synces but the policy is not being undone.
We then tried to push this to set it to 1 manually through regedit. It will stay 1 until the user reboots the machine where it goes back to 0.

We set them into the exclude profile about a month ago now.

Test2. This is correct, enrol a device that is excluded seems to be excluded. It just does not seem to undo the policy that is already set.
This is why the last resort is to rebuild the machine which I really don't want to do.

Any advice would be greatly appreciated.

Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KevinHalstead-6118,, Thanks for the reply. Could you get a screen shot of the Device Profile we configured? And let us know the "Deployment status" of one affected device. Thanks!
38955-image.png
38929-image.png


0 Votes 0 ·
image.png (70.6 KiB)
image.png (44.8 KiB)
KevinHalstead-6118 avatar image
0 Votes"
KevinHalstead-6118 answered Crystal-MSFT commented

HI,

The device is still in the excluded group and is actually in a pending state:

38999-intune.jpg



intune.jpg (65.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KevinHalstead-6118, From the status, we find it is pending. Could you sync the policy under Accounts->Access work or school and see if the result will be different. If the status is still pending, please check the DeviceManagement-Enterprise-Diagnostics-Provider event log to see if there any error related.

Hope it can help.

0 Votes 0 ·

@KevinHalstead-6118, How are things going? I am writing to see if there's any update on our issue. If yes, feel free to let us know.

0 Votes 0 ·