This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Hello everybody! We are Jorge Miguel Ferreira and Sebastian Werner and we’re consultants at Microsoft. This blog post will show you how to set up Microsoft Defender for Endpoint (MDE) Device Control Removable Storage Access Control (LINK Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media).
There are many ways of configuring this feature, such as GPOs, custom OMA-URIs and Intune, specifically using the new reusable settings feature in the Attack Surface Reduction (ASR) rules. This blog post will focus on the new ASR rules in Intune.
Note: this is not about controlling device installation (that is covered in this LINK: Microsoft Defender for Endpoint Device Control Device Installation). In this blog, we’ll only cover removable storage access control.
We will cover some common scenarios, such as:
- Scenario 1 - Blocking write access to all removable storage for all users with exceptions for specific removable storage
- Scenario 2 - Blocking write access to all removable storage for specific users groups on specific machine groups (e.g. specialized hardware)
- Scenario 3 - Block read and write access to specific devices
- Scenario 4 – Block CD/DVDs
As of July 2023, for this to work, you will need to have access to a machine where the following conditions are met:
- a supported version of Windows 10 or Windows 11 (in our lab we used Windows 22H2 July 2023 CU)
- enrolled in Intune (at the time of writing our demo tenant had version 2306)
- onboarded to MDE
- anti-malware client version 4.18.2103.3 or later. (LINK Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media).
In MDE, we can match devices against various identifiers. This allows for both either very broad targeting, when using PrimaryId (RemovableMediaDevices, CdRomDevices, WpdDevices or PrinterDevices) or granular targeting when using IDs like DeviceId.
You can find a list of supported IDs to match here: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media
We will use a number of these IDs in the following examples.
Now let’s deep dive in our scenarios:
Scenario 1 - Blocking write access to all removable storage for all users with exceptions for specific removable storage
For this scenario, the first thing we need is to create multiple reusable settings to match both all removable storage devices as well as the specific devices for the exceptions.
Start by navigating to the ASR section in Endpoint Security in Intune. From here, create the first reusable settings that will match All Removable Storage [RemovableMediaDevices]:
Now we will create a second Reusable Setting that will match our test USB pen, that has the following FriendlyNameId: USB DISK 2.0 USB Device.
Note that you can filter by many different properties and you need to identify which is the most correct for your scenario.
After creating both Reusable Settings we will have the following:
Once the reusable settings are set up, we can start creating the ASR policy. Create a new ASR policy for Device Control and give it a name.
Scroll all the way to the bottom of the configuration, this is where you can apply the reusable settings you previously created. You can choose to either include or exclude based on the reusable settings. To block all removable storage and exclude specific devices, set up a policy like this:
Click on the option below Included ID and select the reusable setting that covers all the Removable Storage - in our case All Removable Storage.
Click on the option below Excluded ID and select the reusable setting of the Removable Storage you want to exclude - in our case EMTEC USB drive.
Click on the option + Edit Entry and fill it like in the picture below
We continued the configuration of the policy, applying it to a machine group that contains our test Windows 10 device.
Result of Scenario 1
With the policy we created, we only allow to write data to the EMTEC USB drive.
Any other device with a different FriendlyNameId will not be allowed to write data to it.
Scenario 2 - Blocking write access to all removable storage for specific user groups on specific machine groups (e.g. specialized hardware)
Just like in scenario 1, start by creating a reusable settings to match all removable storage devices (in our case we added in the Included ID the reusable setting All Removable Storage).
For this scenario we don’t want to exclude anything so nothing is configured in the Excluded ID.
When applying the reusable setting in the ASR, notice the field Sid and Computer Sid you can set per entry. When you do not set this, the setting will apply to all users and all devices that are in scope for the ASR policy. Using the two SID fields allows you to filter the assignment to specific users, groups and/or devices. Even though it says SID, you can either use the SID of an AD object or alternatively the object ID of an Azure AD object.
You can get the object ID for any AAD user, group or device by navigating to the AAD portal, search for the user/group/device you want to include in the policy and grab the object ID from the details view of the object.
For our example we got the Sid of a specific user and we denied Write Permissions and allowed Read and Execute (for that specific user).
We continued the configuration of the policy applying it to a machine group that contains our test Windows 10 device.
Result of Scenario 2
With this policy, the user configured in the Sid option (in this case Debra Berger) on the test Windows 10 device cannot write to any Removable Storage. Other users on the same device are unaffected.
Scenario 3 - Block read and write access to specific devices
For this scenario, we can reuse the USB thumb drive reusable setting from scenario 1, we only need to change the ASR rule to block read, write, and execute for this specific removable storage.
Result of Scenario 3
With this policy, no user can read/write to the EMTEC USB drive on the test Windows device. All other Removable storage devices would work just fine.
Scenario 4 - Block access to CD/DVDs
For this scenario, the first thing we need is to create reusable settings to match the CdRomDevices.
Then create an ASR rule to block read, write, and execute for the CD/DVD Devices reusable setting. In the entry we have the following:
Apply it to the devices in scope for the test (in our test all devices).
Result of Scenario 4
With this policy, no user can access CD/DVD devices (including ISO files mounted in Windows Explorer).
To figure out if the newest version of your policy has been installed/applied on the device, there’s one registry key that can help in troubleshooting:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
In this registry key there are 2 REG_SZ that contain the PolicyGroups and PolicyRules applied.
Those entries hold the effective groups configuration that applies to the device. The second REG_SZ stores the effective policy for removable storage access control. Both keys hold the configuration in XML format. If you export the key you’ll get the following:
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager]
<Name>Block All CD/DVDs</Name>
As seen in the examples above it’s simple to configure now Device Control policies via Intune with this new option. And the possibilities are very extensive.
- Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Learn
- Deploy and manage Removable Storage Access Control using Intune | Microsoft Learn