What Caused an Unowned USB Breach in Intune? (MP.L2-3.8.8)

What Caused an Unowned USB Breach in Intune? (MP.L2-3.8.8)

Learn why an unassigned USB bypassed Intune, exposed CUI, and the intune unowned usb breach lessons learned needed for MP.L2-3.8.8.

LakeRidge Team
July 16, 2026
8 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

An unowned USB device caused the breach because the contractor’s Intune configuration controlled encryption and write access but did not reliably block removable media without an accountable owner. The laptop received an audit-only device-control policy, the user treated the device as legitimate, and malicious content on the drive led to unauthorized access to project data. These intune unowned usb breach lessons learned show that encryption, malware scanning, and general USB restrictions do not satisfy NIST SP 800-171 Rev. 2 practice MP.L2-3.8.8 unless the organization can identify the device owner and enforce that decision technically.

This composite incident is based on common failure patterns seen at small defense contractors using Microsoft 365, Microsoft Intune, Microsoft Defender for Endpoint, and Microsoft Purview. Names, times, and technical indicators have been changed, but the control failures are representative.

What happened during the unowned USB incident?

The affected organization had approximately 85 employees, supported two active Department of Defense subcontract efforts, and stored controlled unclassified information in Microsoft 365 GCC High. Its written media policy prohibited personal removable media, but its actual enforcement was inconsistent. The company had enabled BitLocker and configured a legacy removable-storage policy intended to prevent users from writing CUI to unencrypted USB drives.

Time Event Evidence
08:12 A project engineer found a USB flash drive in a shared conference room after a supplier meeting. The drive had no asset tag, owner label, serial-number record, or media checkout entry.
08:19 The engineer inserted the device into an Intune-enrolled Windows 11 laptop to identify its contents. Microsoft Defender for Endpoint recorded a new USB mass-storage device connection.
08:21 Windows mounted the drive because the applicable Intune Device Control policy was set to audit rather than deny. Advanced Hunting showed removable-media access events but no enforcement action.
08:24 The engineer opened a folder labeled “Updated Drawing Package” and launched a shortcut file that appeared to be a PDF package. Defender telemetry recorded explorer.exe launching cmd.exe and an unsigned executable from the removable drive.
08:27 The malware established a connection to an external command-and-control domain and attempted to collect browser session data. Defender for Endpoint generated a medium-severity alert for suspicious credential-access behavior.
08:36 The attacker used the engineer’s active Microsoft 365 session to access a SharePoint project library. Microsoft Purview Audit recorded abnormal download activity from the engineer’s account.
09:03 The managed security provider escalated the Defender alert to the ISSO and IT manager. Alert correlation linked the activity to removable-media execution.
09:18 The endpoint was isolated in Microsoft Defender for Endpoint, the user account was revoked, and tokens were invalidated. Device isolation and Entra ID sign-in logs confirmed containment.
13:40 The incident team confirmed that 146 project files had been accessed; 18 files containing CUI were downloaded. SharePoint audit logs and Purview content labels established the affected data set.

The device was not a company-issued drive and could not be tied to an employee, visitor, supplier, or approved subcontractor. That fact mattered more than whether the drive was encrypted or whether it had initially passed a malware scan. Under MP.L2-3.8.8, the device should never have been used because no responsible owner could be identified.

What was the root cause of the breach?

The root cause was a mismatch between the organization’s compliance intent and its technical design. Leadership believed that “blocked unencrypted USB write access” meant “USB is controlled.” It did not. The policy prevented certain data from being copied to removable media; it did not prevent unknown media from being connected, mounted, read, or used to introduce malicious files.

The endpoint had received an Intune configuration profile intended for pilot monitoring. The profile used Microsoft Defender for Endpoint Device Control in audit mode so IT could assess operational impact before blocking removable storage. The pilot had never formally closed, but its audit setting remained in production more than six months later.

A second issue made the exposure worse: the deny policy was assigned to a static “Engineering-Windows” device group. The affected laptop had been replaced through Autopilot after a hardware failure and was instead placed in a “Project-Laptops” group. The replacement device was compliant with BitLocker, Microsoft Defender Antivirus, and Windows update policies, but it was not targeted by the removable-media enforcement profile.

The incident therefore was not caused by a single careless employee. The employee made a poor decision by inserting found media, but the environment was designed to depend on employees making perfect decisions. The technical controls did not enforce the organization’s rule that portable storage must have an identifiable owner.

Why did MP.L2-3.8.8 fail despite Intune being deployed?

NIST SP 800-171 Rev. 2 MP.L2-3.8.8 requires organizations to prohibit use of portable storage devices when the devices have no identifiable owner. For a small contractor, this requires both a management process and a technical enforcement method. The company had fragments of both, but no complete control chain.

  • The policy language was incomplete. The media policy prohibited “personal USB drives,” but did not define found media, supplier media, loaned media, or media with missing asset labels as unowned and prohibited.
  • Ownership was not recorded. There was no register containing device serial number, assigned owner, business purpose, approval authority, encryption status, and return date.
  • Intune enforcement was not aligned to the requirement. The organization used encryption-focused removable-media settings, not a deny-by-default Device Control strategy for unapproved USB storage.
  • The control had no operating owner. IT owned the Intune profile, security owned the written policy, and the FSO maintained visitor procedures. No one owned the end-to-end MP.L2-3.8.8 control.
  • Audit evidence was mistaken for enforcement evidence. The team could show that Defender logged USB connections, but could not show that unowned devices were prevented from use.

The key Intune unowned USB breach lesson was that endpoint compliance reports cannot establish media accountability by themselves. Intune can deploy restrictive settings and Device Control policies, but an ISSO still needs an authoritative process for determining which removable devices are approved, who owns them, and how exceptions are documented.

What corrective and preventive actions were taken?

Containment began with isolating the endpoint, revoking the user’s Microsoft 365 sessions, resetting credentials, and preserving the USB drive for forensic handling. The ISSO also initiated the organization’s incident-reporting process, assessed whether contractual reporting obligations applied, and coordinated with leadership before notifying affected program stakeholders.

Within ten business days, the organization replaced the audit-only approach with deny-by-default removable-storage enforcement for Windows endpoints handling CUI. The policy was deployed through Intune Endpoint Security using Microsoft Defender for Endpoint Device Control. Approved company media was allowed only after its hardware identifier and assigned owner were recorded in the media register.

Intune policy: Endpoint security > Attack surface reduction > Device control
Platform: Windows 10 and later
Policy mode: Enforced
Removable storage default: Deny read, write, and execute
Approved media group: Company-issued encrypted USB devices
Allow criteria: Documented device instance ID and asset-register record
User exception: None; exceptions require ISSO approval and temporary policy assignment
Monitoring: Microsoft Defender for Endpoint advanced hunting and weekly review

The company also retired its static device-group assignment model. Device Control policies were assigned to an Entra ID dynamic device group covering all corporate Windows devices, with a separate documented exclusion group for approved test systems. The IT manager added a monthly review to verify that all Intune-enrolled CUI endpoints received the policy.

Corrective action Control owner Evidence retained
Create an approved portable-media register with owner, serial number, purpose, and issue/return dates. ISSO Media register, approval records, quarterly reconciliation results
Deploy Device Control deny-by-default policy through Intune. IT Manager Intune assignment report, policy export, device compliance evidence
Require asset labels on approved USB devices and prohibit unlabeled media. Property Custodian Asset inventory and media issuance records
Train employees to report found or supplier-provided media without connecting it. FSO and ISSO Training roster, acknowledgment, incident drill results
Review Defender telemetry for blocked USB attempts and unauthorized device connections. Security Operations Monthly monitoring report and ticket records

What intune unowned usb breach lessons learned should an ISSO apply?

First, treat ownership as an accountability condition, not a label on a drive. A USB device is not approved because it looks corporate, contains encrypted files, or belongs to a visitor who says it is safe. The organization must be able to identify a responsible owner and connect that owner to an authorization record.

Second, separate the related controls. MP.L2-3.8.7 addresses controlling the use of removable media on systems; MP.L2-3.8.8 adds a stricter decision point: even an otherwise permitted media type must be prohibited if no owner can be identified. A policy that allows encrypted USB drives generally may support parts of the media-protection program, but it does not by itself meet MP.L2-3.8.8.

Third, test the enforcement path with a real scenario. The most useful validation was not reviewing an Intune screenshot. It was attempting to connect an unlabeled, non-approved USB drive to a representative CUI laptop and confirming that read, write, and execution were denied. The team documented the result, the device identifier, the policy version, and the Defender event generated by the block.

Finally, make ownership survivable through normal business changes. Hardware replacements, Autopilot rebuilds, employee departures, supplier visits, and urgent field work are where media controls fail. The unowned USB breach lessons from Intune are clear: use dynamic targeting, maintain a current media register, assign one accountable control owner, and review exceptions before they become permanent gaps.

Schedule a 30-minute review this week with your IT manager and property custodian to test whether an unowned USB device is actually blocked on every Microsoft 365-managed CUI endpoint.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.