diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..f43673ae62 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8293,6 +8293,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice
+
+
+ Storage/WPDDevicesDenyReadAccessPerUser
+
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice
+
+
+ Storage/WPDDevicesDenyWriteAccessPerUser
+
### System policies
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index d470d7977b..7c441baca0 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -48,6 +48,18 @@ manager: dansimp
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice
+
+
+ Storage/WPDDevicesDenyReadAccessPerUser
+
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice
+
+
+ Storage/WPDDevicesDenyWriteAccessPerUser
+
@@ -139,8 +151,8 @@ The following list shows the supported values:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -218,8 +230,8 @@ ADMX Info:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -300,8 +312,8 @@ ADMX Info:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -382,8 +394,8 @@ ADMX Info:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -464,8 +476,8 @@ ADMX Info:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -552,8 +564,8 @@ ADMX Info:
| Home |
- |
- |
+ No |
+ No |
| Pro |
@@ -782,5 +794,348 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
+
+**Storage/WPDDevicesDenyReadAccessPerDevice**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ Yes |
+ Yes |
+
+
+ | Business |
+ Yes |
+ Yes |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
+
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
+- Mass Storage Class (MSC) over USB
+
+If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
+
+Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2].
+
+>[!NOTE]
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+
+Supported values for this policy are:
+- Not configured
+- 1-Enabled
+- 0-Disabled
+
+
+
+ADMX Info:
+- GP Friendly name: *WPD Devices: Deny read access*
+- GP name: *WPDDevices_DenyRead_Access_2*
+- GP path: *System/Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+**Storage/WPDDevicesDenyReadAccessPerUser**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ Yes |
+ Yes |
+
+
+ | Business |
+ Yes |
+ Yes |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
+
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
+- Mass Storage Class (MSC) over USB
+
+If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
+
+Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2].
+
+>[!NOTE]
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+
+Supported values for this policy are:
+- Not configured
+- 1-Enabled
+- 0-Disabled
+
+
+
+ADMX Info:
+- GP Friendly name: *WPD Devices: Deny read access*
+- GP name: *WPDDevices_DenyRead_Access_1*
+- GP path: *System/Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+**Storage/WPDDevicesDenyWriteAccessPerDevice**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ Yes |
+ Yes |
+
+
+ | Business |
+ Yes |
+ Yes |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
+
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
+- Mass Storage Class (MSC) over USB
+
+If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
+
+Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications.
+
+>[!NOTE]
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+
+Supported values for this policy are:
+- Not configured
+- 1-Enabled
+- 0-Disabled
+
+
+
+ADMX Info:
+- GP Friendly name: *WPD Devices: Deny write access*
+- GP name: *WPDDevices_DenyWrite_Access_2*
+- GP path: *System/Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+**Storage/WPDDevicesDenyWriteAccessPerUser**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ Yes |
+ Yes |
+
+
+ | Business |
+ Yes |
+ Yes |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
+
+- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
+- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
+- Mass Storage Class (MSC) over USB
+
+If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
+
+Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications.
+
+>[!NOTE]
+> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
+
+Supported values for this policy are:
+- Not configured
+- 1-Enabled
+- 0-Disabled
+
+
+
+ADMX Info:
+- GP Friendly name: *WPD Devices: Deny write access*
+- GP name: *WPDDevices_DenyWrite_Access_2*
+- GP path: *System/Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+
+
+
+