How to Disable USB Ports with Microsoft Intune

Block removable storage devices and USB ports to enhance security using Microsoft Intune

← Back to Home
📅 January 20, 2026 | ⏱️ 3 min read | ✍️ By Allester Padovani | 🏷️ Device Configuration

Removable storage (USB drives, external disks, memory cards) can be used to copy data off devices or introduce malware. Many organizations restrict or block these devices on managed Windows PCs. Microsoft Intune’s Device restrictions profile includes settings to block removable storage access only, or to block all USB connections (except charging).

This guide walks through creating a Device restrictions configuration profile that applies to Windows 10/11 devices, configuring the General section to block removable storage and optionally USB connections, then assigning the profile to users or devices.

What You’ll Configure

  • A Device restrictions configuration profile for Windows 10 and later.
  • Under General: Removable storage – Block (blocks USB sticks and similar) and/or USB connection – Block (blocks all USB ports; charging is not affected).

Step 1: Create a Device Restrictions Profile

In the Microsoft Intune admin center, go to DevicesWindowsConfiguration profiles. Click CreateNew policy. Choose Windows 10 and later as the platform and Templates as the profile type. Select Device restrictions and click Create.

Creating a device restrictions configuration profile

Step 2: Basics

On Basics, give the profile a name (e.g. WIN-Block Removable Storage or WIN-Block USB) and click Next.

Configuration profile Basics tab with profile name

Step 3: Configure General (Removable Storage and USB)

On the configuration page, expand General. You’ll see two relevant options:

  • Removable storage – Block: When set to Block, users cannot access removable storage devices (e.g. USB flash drives, external hard drives, SD cards). Other USB devices (keyboards, mice, chargers) continue to work.
  • USB connection – Block: When set to Block, all USB ports are blocked for data. Charging over USB is not affected. Use this when you need to lock down USB entirely except for power.

Choose the option that matches your policy: block only removable storage (most common) or block all USB connections. Set the other to Not configured if you don’t want that restriction. Click Next.

General settings – Removable storage and USB connection block

Step 4: Assign and Create

On Assignments, add the groups that should receive this profile (e.g. All Devices or a pilot group). You can skip Applicability rules unless you need OS version targeting. On Review + create, review the summary and click Create.

Assigning the configuration profile to groups Review and create the configuration profile

After the profile syncs to a device, the chosen restrictions apply. Users will not be able to use removable storage and/or USB data connections as configured. Reverting the policy (set to Not configured or remove the assignment) restores access after the next sync.

Wrap-up

You’ve disabled USB ports or removable storage with Intune by creating a Device restrictions profile, configuring General to block removable storage and/or USB connection, and assigning the profile to the right users or devices. Use Removable storage – Block to block only USB sticks and similar media, or USB connection – Block to block all USB data while leaving charging unaffected.