Block Device Drivers by Setup Class GUID in Intune – Stop USB, Thunderbolt & Webcam Drivers (2025 Guide)
Block Driver Installation by Device Setup Class GUID in Intune – Complete 2025 Deep-Dive Guide
In 2025, one of the most powerful (yet under-used) Windows security controls is blocking entire device classes at the driver level using their Setup Class GUIDs. This stops USB sticks, Thunderbolt docks, FireWire DMA attacks, webcams, printers, Bluetooth devices — anything — from ever installing, even if the user is local admin.
This is not the same as removable storage restrictions in Defender/Endpoint DLP — this works at the kernel driver level and blocks the device before Windows even sees it.
Why This Matters in 2025
- Prevents DMA attacks (Thunderbolt/FireWire/ExpressCard) used in <5-minute physical breaches
- Stops rubber-ducky / BadUSB payloads
- Enforces “no local printers” or “no webcams” policies in high-security environments
- Blocks legacy or vulnerable drivers forever
- Works on Windows 10 1809+ and all Windows 11 versions (including 25H2)
Two Official Methods (Both Supported in 2025)
| Method | Best For | Granularity | Requires Intune License |
|---|---|---|---|
| Administrative Templates (GPO-style) | Most organizations | Simple, readable, supported | Microsoft 365 E3+ |
| Custom OMA-URI (DeviceInstallation CSP) | Advanced/granular control | Full CSP power | Same |
Method 1: Administrative Templates (Recommended for 99% of Orgs)
- Intune Admin Center → Devices → Configuration profiles → Create profile
Platform: Windows 10 and later
Profile type: Templates → Administrative Templates - Basics
Name:Block Unauthorized Device Classes – Enterprise Standard
Description:Prevents installation of USB storage, Thunderbolt, printers, webcams, etc. - Configuration settings
Search for:Prevent installation of devices using drivers that match these device setup classes
→ Enabled Then click Show and add any of these GUIDs:
| Device Class | Setup Class GUID | Real-World Use Case |
|---|---|---|
| USB Mass Storage | {36fc9e60-c465-11cf-8056-444553540000} |
Block all USB sticks/drives |
| Portable Devices (MTP/PTP) | {eec5ad98-8080-425f-922a-dabf3de3f69a} |
Block phones, cameras as storage |
| CD/DVD/Blu-ray | {4d36e965-e325-11ce-bfc1-08002be10318} |
Block optical drives |
| Printers | {4d36e979-e325-11ce-bfc1-08002be10318} |
No local printer installation |
| Imaging Devices (Webcams) | {6bdd1fc6-810f-11d0-bec7-08002be2092f} |
Prevent webcam driver install |
| Bluetooth | {e0cbf06c-cd8b-4647-bb8a-263b43f0f974} |
Block all Bluetooth devices |
| Thunderbolt | {c06ff265-ae09-48f0-812c-16753d7cba83} |
Critical for DMA attack prevention |
| FireWire (SBP-2) | {d48179be-ec20-11d1-b6b8-00c04fa372a7} |
Legacy DMA attack vector |
| Biometric Devices | {53d29ef7-377c-4d14-864b-eb3a85769359} |
Block external fingerprint readers |
- Critical Checkbox
☑ Also apply to matching devices that are already installed
→ Without this, existing devices keep working. With it = instant disable on next sync. - Assignments → Target your device or user groups
Recommended: All corporate Windows devices (exclude kiosks/shared PCs if needed) - Review + create
Method 2: Custom OMA-URI (Full CSP Control – For Power Users)
Create profile → Custom → Windows 10 and later
| Setting | Value |
|---|---|
| Name | Block Device Classes via CSP |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses |
| Data type | String |
| Value | {36fc9e60-c465-11cf-8056-444553540000},{eec5ad98-8080-425f-922a-dabf3de3f69a},{c06ff265-ae09-48f0-812c-16753d7cba83} |
Optional second policy to block already-installed devices:
- OMA-URI:
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClassesApplyToExisting - Value:
1
Whitelisting Specific Devices (When You Must Allow Some)
Use the companion policy:Allow installation of devices that match any of these device instance IDs
→ Add specific Hardware IDs (from Device Manager → Details → Hardware IDs)
Verification & Monitoring (2025)
- On a test device:
Event Viewer → Microsoft-Windows-DeviceSetupManager/Admin
Look for Event ID 301 – “Device installation is denied by policy” - Intune → Devices → [Device] → Device configuration → Check policy status
- Run on device:
dsregcmd /status+ check sync
Or PowerShell:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceInstallation"Pro Tips for 2025 Deployments
- Always pilot on 50 devices first
- Combine with BitLocker + DMA port protection for defense-in-depth
- Use dynamic groups: “All devices except shared kiosks”
- For Surface/approved docks → whitelist their specific Device Instance Paths
- Works perfectly on Windows 11 24H2/25H2 and Windows 10 22H2+
This single policy is used by banks, defense contractors, and Fortune 100 companies to achieve true kernel-level peripheral control — all managed from the cloud with Intune.
Deploy it today. Your attack surface will thank you. 🛡️
Official Docs (2025):
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation
