AC-19(1) — Use of Writable and Portable Storage Devices

Control the use of writable and portable storage devices like USB drives. These are one of the easiest ways to exfiltrate data or introduce malware.

Example 1: Via GPO, restrict USB storage access at Computer Configuration → Administrative Templates → System → Removable Storage Access. Set "All Removable Storage classes: Deny all access" to Enabled. If specific users need USB access, create an exception group and scope a separate GPO to them with read-only access.

Example 2: In Intune, create an endpoint protection profile that blocks USB storage devices. Under Device configuration → Endpoint protection → Microsoft Defender Exploit Guard → Device control, block all removable storage. Log all blocked attempts to your SIEM for monitoring.