Granting access to USB/External device

Overview:
This article provides step-by-step instructions on how to grant a user access to external devices (USB, CDROM, SDCARD etc). Access to external devices is managed by the Intune policy "Teach First - Device Control Policy". This can be accessed by navigating to Intune - Endpoint Security - Attack Surface Reduction. Reusable settings in Intune for device control in Endpoint Security > Attack surface reduction > Reusable settings has been used to define groups of specific removable storage devices, CDROMs, or portable Windows devices to grant or deny access to by adding their device names and device ID and these reusable setting groups are then referenced within the device control policy node to either include or exclude specific devices.

To grant a user explicit access to all external/USB devices, simply add user to the AAD-SG-Intune-ASR-AllowUSB group.

Grant user access to a specific USB device.

Steps:

Sign in to Intune
- Go to Microsoft Endpoint Manager Admin Center.
- Sign in with your administrator credentials.
Create a Reusable Setting Group
- On the Endpoint Security - Attack Surface Reduction page, select the Reusable settings tab.
- The "Any Removable Storage, CD-DVD and WPD Devices" and "Approved USBs Group" are the default denied and allowed USB reusable setting groups respectively on the Device control policy.
- Click Add to create a new reusable setting group for a new user or select an existing group for a user to edit it.
- Provide a name and description for the group.
- On the Configuration settings page, click Add > Removable storage to begin defining the devices.
- In the Edit instance window, add the device properties (such as Name, DeviceId or InstanceId) to identify the specific device.
  - To obtain the Name and DeviceId parameters, go to https://security.microsoft.com/ and navigate to Investigation & response - Hunting - Advanced Hunting
  - Select Queries and choose the USB Device Control Event query. Select an applicable period and click Run query to view events.
  - On the results page, search for the user with their username and select the DeviceId or InstanceId of the USB device to be allowed.
  - Configure the Match type as Match any, Click Review + Add and then Add to save the reusable setting group.
- Go to Device Control
  - Navigate to Endpoint Security - Attack Surface Reduction
  - Select Teach First - Device Control Policy
  - Click edit on the Configuration setting option and select the Device control dropdown to view the current settings or add setting for a new user with a new reusable group.
  - Click Add to create a new device control rule and provide a name similar to previous rules.
  - For the included device, select the default deny reusable setting group. For the excluded device, select the new reusable setting group to be allowed.
  - Select configure instance and replicate the setting of a previous rule (click Edit instance on a previous group to see the settings used) and for the Sid option, insert the Object ID of the user the rule should be applied to.
  - Click Next and Save to finish adding the setting.
- Perform a sync on user's device and allow some time for rules to get applied to the device.