USB drives are tiny, cheap, and easy to ignore. They’re also one of the fastest ways to move Controlled Unclassified Information off a managed endpoint. When I build CMMC USB controls for Level 2, I use Microsoft Intune for baseline restrictions, Microsoft Defender for Endpoint for detailed allow and deny logic, and written process controls for everything an assessor will ask next.
That mix matters because CMMC isn’t just about blocking a port. It’s about controlling removable media, limiting access, logging use, and handling exceptions without guesswork. If CUI can ride out the door in a pocket, the endpoint is only pretending to be protected.
What CMMC Level 2 expects from USB storage
Level 2 maps to NIST SP 800-171 Rev. 2, so USB control touches more than one control family. The clearest media practices are MP.L2-3.8.7, control the use of removable media on system components, and MP.L2-3.8.8, prohibit portable storage devices with no identifiable owner. If approved media leaves a controlled space, MP.L2-3.8.6 also pushes me toward encryption. At the same time, access control and audit evidence matter because assessors want proof that only approved people, on approved systems, used approved media.
Ownerless media is a red flag because it breaks accountability. If I can’t tie a device to a person, a business reason, and an encryption standard, I don’t let it touch CUI. That’s where many teams stumble. They block some USB devices, but they leave the approval path informal.
When I document the design, I usually align it with Microsoft’s CMMC Level 2 access control guidance. That gives me a clean way to explain the technical control, the approval path, and the boundary around CUI.
This is the simple split I use:
| Need | Microsoft control | Evidence I keep |
|---|---|---|
| Block personal USB storage | Intune restrictions, Defender device control | policy scope, assignments, test results |
| Allow approved encrypted drives | Defender groups plus BitLocker settings | media inventory, owner record, approval |
| Show attempts and reviews | Defender events and Intune reports | review notes, tickets, screenshots |
A blocked USB port is helpful. A documented allowlist with review history is what usually makes the assessor comfortable.
In other words, auditors rarely stop at “show me the policy.” They want to see who can use removable media, why that access exists, and how I know the rule actually worked on live Windows endpoints.
How I split Intune and Defender responsibilities
I keep the broad baseline in Intune because it scales cleanly. With the Intune USB restriction settings, I can block removable storage, restrict device installation classes, and push BitLocker rules such as denying write access to removable drives that aren’t protected. I can also use compliance policies and Conditional Access to keep risky devices away from Microsoft 365, but I don’t treat compliance policy as the actual USB block. It’s supporting evidence, not the main gate.
There isn’t a single CMMC template that does this for me. I still have to design the rule model. Intune alone can handle the broad restrictions, but serial-based allowlists and richer device group logic fit better in Defender for Endpoint.
What I keep in Intune
Intune is where I do broad Endpoint Security and Device Hardening. I assign those settings to pilot groups first, then expand by role, site, or device type. That helps when a contractor has engineering laptops, shared kiosks, and lab systems in one tenant. If a device never needs USB storage, I block it outright. That simple default removes a lot of noise.
What I keep in Defender for Endpoint
For granular control, I move to Defender device control in Intune. Here I can create policy groups for approved encrypted USB drives, target rules by serial number or hardware identifiers, and set actions such as audit, allow, read-only, or deny. My usual model is default deny for removable storage, then allow only company-issued encrypted media with an identifiable owner. I often start in audit mode for a few days, because it shows me what would break before I flip to enforce.
If admins or service staff need access, I don’t create a broad bypass. I build a separate exception group, tie it to named devices or named staff, require a ticket, and review it every month. When temporary elevation is needed, I prefer controlled privilege workflows over permanent local admin. That’s cleaner, safer, and easier to defend during assessment.
How I validate enforcement and build audit-ready evidence
A policy that looks right in the portal can still fail on the endpoint. So I validate on managed Windows devices, not just in the console. The Defender device control policy model helps me line up rules, groups, and exclusions before I test.
My validation set is small, but it covers the cases that matter:
- Personal unencrypted USB drive: It should be blocked, and the event should be visible.
- Company-approved encrypted USB drive: It should work only within the policy I assigned.
- Non-storage USB devices: Keyboards, mice, and other allowed classes should keep working.
- Service exception scenario: The temporary allow should expire cleanly, with evidence of approval.
After that, I capture Intune assignment status, Defender events, local client behavior, and screenshots showing the exact policy version. Those artifacts feed the System Security Plan, the media protection policy, and the exception log. I also document who approves USB use, how approved media is inventoried, how lost media is reported, and how media is sanitized or destroyed. Software can’t do that part alone. User training matters too, because “I just used my own thumb drive” is still a policy failure.
This same discipline carries into Small Business IT and Digital Transformation work. It supports Cloud Infrastructure, Office 365 Migration, Cloud Management, Data Center Technology, and Secure Cloud Architecture projects, because removable media still appears during installs, backups, and break-fix work. As a Business Technology Partner, I tie USB governance into Cybersecurity Services, Tailored Technology Services, Technology Consulting, Innovative IT Solutions, Infrastructure Optimization, IT Strategy for SMBs, Managed IT for Small Business, and Business Continuity & Security. Even Restaurant POS Support and Kitchen Technology Solutions benefit from the same model, because field devices and vendor tools still create endpoint risk.
Conclusion
CMMC Level 2 USB control is simple in theory and messy in practice. Intune gives me broad restriction and BitLocker enforcement. Defender for Endpoint gives me granular policy groups, exception logic, and the audit trail. Good CMMC USB controls come together only when the technology, the written policy, and user behavior all say the same thing. That’s the difference between a blocked port and a program I can stand behind in front of an assessor.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.