USB Device Control in M365 for CUI Workstations

You can control USB devices on CUI workstations with Microsoft Defender for Endpoint device control, Intune, BitLocker, and Endpoint DLP, then back the configuration with audit evidence. You still need policy, process, and user training to keep data where it belongs.

Removable media expectations in NIST 800-171 and CMMC

NIST SP 800-171 sets the floor for CUI protection. The access control family directs you to limit system access to authorized users, processes, and devices, and to control CUI flow under approved authorizations (AC.L2-3.1.1, AC.L2-3.1.3). You also need media protection. Protect CUI at rest on digital media, protect and control CUI on portable storage during transport, restrict portable storage use on external systems, and sanitize media before disposal or reuse (MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.3). Least functionality belongs in your build (CM.L2-3.4.6). Keep audit records that show security-relevant events, including removable media use (AU.L2-3.3.1).

NIST 800-171A provides assessment procedures for these practices. Assessors ask for configurations, screenshots, and monitoring outputs that demonstrate implementation and effectiveness. The CMMC Level 2 Assessment Guide frames the same expectation for evidence across technical, operational, and management controls.

You protect CUI on removable media with cryptographic modules that meet FIPS 140-3. NARA’s CUI Registry points you back to laws, regulations, and government-wide policies, and NIST 800-171 supplies the safeguarding requirements that drive your media policy.

Microsoft endpoint control building blocks

Microsoft Defender for Endpoint provides device control for Windows. Security teams use it to allow, block, or set read-only access for USB storage and other peripherals. You can scope rules by device attributes and by user or group membership. You can also tie behavior to network location to harden endpoints off your corporate network.

Intune delivers these policies to managed endpoints. You deploy built-in profiles or custom OMA-URI, assign to device or user groups, and stage ringed rollouts. The Microsoft 365 Defender portal gives you a central view to author device control policies and review enforcement status.

Microsoft Purview Endpoint DLP adds data-aware controls on endpoints. You classify content, detect CUI handling on endpoints, and restrict actions such as copy to removable media. Device control limits the pipe, and Endpoint DLP inspects what flows through the pipe.

Microsoft’s US Government clouds support these building blocks. Microsoft’s public sector guidance explains the government offerings and reminds customers that they configure controls to meet their requirements. Customers in GCC High can use Defender for Endpoint and Intune to manage removable media on Windows workstations in scope for CUI.

Allow-by-exception USB policy design

You reduce attack surface when you remove nonessential capabilities. Device control can enforce least functionality on ports that present data exfiltration risk. An allow-by-exception model fits CUI workstations because it starts from deny and grants access where your mission needs it.

Start with a base stance that blocks write access to removable storage on CUI endpoints. Then permit direct business needs through narrow rules.

Allow read-only access for trusted USB storage to support tasks such as file intake from partners.
Allow read and write for a small set of managed drives that meet your encryption and key control standard.

Tighten device scope by hardware identity. You can match on vendor and product identifiers so that unmanaged drives never receive data.

Approve a list of encrypted USB brands and models that your team can buy and issue.
Deny mass storage for everything else, while leaving keyboards and mice alone.

Use context to raise the bar outside your controlled network. Device control supports rules bound to network conditions so you can protect mobile users.

Deny writes to removable media when a device lacks a trusted network condition.
Permit writes on approved media when the device resides on a managed network segment.

Leave a path for engineering and support tasks that need special devices. Handle those with temporary access and documented approvals, and expire those grants on a schedule.

Document the policy in your System Security Plan for the CUI environment. A tight USB policy depends on a clear CUI boundary, so confirm scoping first. See CMMC scoping and the CUI boundary.

Encryption and media handling on approved USB

If you allow CUI on removable storage, enforce encryption with FIPS-validated cryptographic modules. BitLocker To Go satisfies that requirement on Windows when you configure it in a manner that uses FIPS-validated modules.

Require encryption before write access, and escrow recovery material in your enterprise vault.
Publish a sanitization standard for removable media, and align it to MP.L2-3.8.3.

Protect CUI in transit, not only at rest. You control transport by policy and by practice. Limit who can carry media off controlled areas, and confirm that encryption stays active during transit to a partner or a government site.

Update procedures and user training to reflect this policy. Users need clear instructions on how to request an approved drive, how to handle it, and how to return or sanitize it.

Operational deployment in M365

Stand up Defender for Endpoint across in-scope Windows devices first. Confirm sensor onboarding, device inventory, and role-based access in the Microsoft 365 Defender portal. Confirm Intune enrollment and device compliance status so you have a clean management plane.

Build device control in a lab group. Create your base deny rule for USB mass storage writes. Add a read-only rule for vetted vendor IDs. Add a write rule for your approved encrypted media. Assign to a pilot Azure AD group, then test on a handful of devices that match your CUI workstation build.

Move to production in rings. Assign the policy to the next set of CUI devices after you review alerts and event logs. Keep a scoped emergency group that can receive a temporary override while you resolve a blocking issue.

Layer Endpoint DLP where you handle CUI on endpoints. Define a CUI label and content markers that matter to your contracts. Configure an Endpoint DLP policy that warns or blocks copy to removable media for labeled content. See Microsoft Purview DLP for CUI.

Use Intune compliance policies and security baselines to enforce the rest of the endpoint posture. Drive BitLocker To Go enforcement through configuration profiles, and report on encryption status across devices. See Intune compliance baselines for CUI.

Monitoring and response

Tune visibility so you can spot misuse and troubleshoot real work. Defender for Endpoint records device control events. You can search those events in the Microsoft 365 Defender portal and export reports for your evidence body.

Build an alert or report that flags write attempts to blocked devices.
Track exceptions by user and device, and review those entries with managers.

Endpoint DLP adds signal about CUI movement. Use alerts and activity explorer to spot attempts to move labeled content to removable media. Correlate those entries with device control events to prove that the policy stopped the transfer or flagged it for review.

Fold incident handling into your SOC playbooks. Create a process to disable removable media for a device during an investigation. Keep a request path that lets engineering and program leads ask for a time-bound exception when a program need drives it.

Evidence for CMMC assessments

Assessors look for objective evidence that each practice exists and works as designed. You increase assessment confidence when you prepare evidence that covers both configuration and operation.

Capture configuration state that reflects your design.

Export device control policy definitions from the Microsoft 365 Defender portal, and keep dated screenshots of scope, rules, and assignments.
Export Intune assignment views for the same policies, and keep a list of in-scope devices.

Show operational records that prove use and effectiveness.

Produce event logs that show blocked write attempts and successful uses of approved media.
Produce Endpoint DLP alerts tied to removable media actions for labeled CUI.

Map each artifact to the practice it supports. For example, device control rules and enforcement logs support AC.L2-3.1.1, AC.L2-3.1.3, CM.L2-3.4.6, and MP.L2-3.8.7. BitLocker To Go configuration and encryption reports support MP.L2-3.8.1 and MP.L2-3.8.2. Sanitization records support MP.L2-3.8.3. Audit configurations and event retention settings support AU.L2-3.3.1.

Keep interviews in mind. Your administrators should explain the policy structure, the exception path, and how they check logs. Your users should describe how they request approved media and how they move data without violating policy.

Pitfalls to avoid

Teams often leave gaps that weaken an otherwise sound design.

Teams approve device models without validating FIPS alignment end to end, including key storage and recovery handling.
Teams write rules that permit vendor IDs used across unmanaged models, and those rules grant broad access by accident.

Close the loop with procurement and asset management so that only approved encrypted drives reach users. Review events after every pilot and after every production ring, and trim or tighten rules that create unintended access.