Last Updated on February 7, 2022 by rudyooms
I guess it’s time for the sixth part of the Endpoint Security Series. This time I will walk you through what Microsoft Defender Device Control is, how to configure it in Intune and how it works.
I will divide this blog into 9 parts
- Information about device control.
- Configuring Device Control in Intune
- Results of Blocking Specific Hardware
- Results of preventing Write Access Removable Storage
- Deploy printer protection on Windows
- Digger deeper
- Logging
- Removing/Changing the policy
- Conclusion
1.Information about Device control
Microsoft Defender for Endpoints has a really cool feature to protect devices against data loss. This feature will provide you with a layered approach to secure removable hardware like external hard drives. Of course, this feature there couldn’t be any other name than Windows Defender Device Control.
When making use of Device Control you could make sure there is no possibility for users to install specific hardware on the devices or you can make sure removable storage can’t be used!
The only prerequisite? You need to make sure Microsoft Defender for Endpoints is enabled and active. If you have configured another AV, Microsoft Defender will be running in passive mode and Device Control will probably not work
2.Configuring Device Control in Intune
Like always, open Intune and Click on Endpoint Security –> Attack Surface Reduction to start creating a new policy.
I am going to split this first one up. Because the first part is sometimes difficult to understand and configure. The second part about allowing removable storage, sort of speaks for itself.
1.Allowing / Blocking Hardware
These settings allow you to create allow lists or deny lists based on hardware IDs, or specific device GUID allows lists (and deny lists). It allows us to secure the environment based on specific hardware allowed to connect.
When you configure a block policy it will apply on the device, so even if your end-users are configured as local administrators it will be blocked.
Block / Allow Hardware Device installation by device identifiers
Specific Hardware IDs you configure in this policy are forbidden and blocked from being installed.
PLEASE NOTE: The device ID isn’t the PnP ID but the Hardware ID
*How to find the Device/Hardware Id with the device manager
*How to find the Device/Hardware Id with PowerShell?
Get-WmiObject Win32_PNPEntity | select name,hardwareid | sort-object hardwareid | Get-Unique -asstring |fl
Block/ Allow Hardware device installation by setup classes:
Device GUIDs entered here are disallowed from installing. Prevent policies have higher priority over allowed policies. If a device class GUID is configured for both allow and disallow policies, then the devices will not be allowed to install.
*How to find the Class GUID with the device manager
While I was looking at the device Class GUIDS I realised I also did a blog on this topic some time ago. The blog will show you how to allow normal users, installing printer drivers on their own.
*How to find the Class GUID with PowerShell?
Get-WmiObject Win32_PNPEntity | select name,classguid | sort-object classguid | Get-Unique -asstring |fl
Block/ Allow Hardware device installation by device instance identifiers:
A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. The Plug and Play manager assigns a device instance ID to each device node in a system’s device tree
*How to find the Device instance ID with the Device Manager
*How to find the Device instance ID with PowerShell?
Get-WmiObject Win32_PNPEntity | select name,deviceid | sort-object deviceeid | Get-Unique -asstring |fl
2. Configuring USB storage media and Bluetooth
This one is more clear than blocking or allowing the installation of hardware. Let’s take a look at some of the policies.
All of these settings above allows us to control what devices to allow to connect to our computers. In the sample above, I am making sure people can still use Removable Storage but I am preventing write access. Setting up a policy like this will make sure, your Company data can’t be copied to a USB stick.
I am also allowing to use Bluetooth, but just like the removable storage, I am restricting the use of it.
3.Results of Blocking specific hardware!
When we have configured an Endpoint Security device control policy to start blocking hardware device installation by device identifier, we need to know what happens to the client.
First, let’s open the device manager, we will notice the hardware couldn’t be installed.
Error Code 1: The installation of this device is blocked by a system policy
You will also get a nice toast message with the same message above.
And of course, the removable storage device in this example is not accessible!
4.Results of preventing Write Access Removable Storage
Now we have seen what happens when you totally blocked all access to the removable storage, let’s see what happens when you have blocked the possibility to write data to removable storage.
The only way how you could test it, just to attach a USB removable storage device and try to create a folder or try to copy some data to it. You will be prompted with this error: ACCESS DENIED!
5. Deploy printer protection on Windows (UPDATE 20-07-2021)
Today a new method for printer protection was released. When talking about Device Control, controlling which printer may be used for printing is great!
Please make sure you have the correct license applied!
- Microsoft 365 E3 for functionality/policy deployment
- Microsoft 365 E5 for reporting
The new printer protection feature allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This adds an additional layer of security and data protection for work from home and remote work scenarios.
So how do we configure this?
Before we start we need to make some hard choices, are you going to deploy it to the machine or user context? Now we made a choice, create two CSP’s and configure the values as I show below
MACHINE CONTEXT
*Block printing from non approved printers
OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
Value:<enabled/>
*Define the approved USB printers
OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
Value: <enabled/><data id=”ApprovedUsbPrintDevices_List” value=”03F0/8117,03F0/8217″/>
USER CONTEXT
*Block printing from non approved printers
OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser
Value:<enabled/>
*Define the approved USB printers
OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser
Value: <enabled/><data id=”ApprovedUsbPrintDevices_List” value=”03F0/8117,03F0/8217″/>
Wondering where the 03f0/8117 stands for? The VID/PID. You could open the device manager to get them?
When you don’t want to take a look in the device manager to find them, please visit this Device Hunt website
USB\VID_03F0 – HP, Inc | Device Hunt
And of course, the results when you just plugged in your private USB printing device and want to print something. You will notice the print job will be sent to the spooler but also immediately removed!
Open the event log and open the Print Service event log
When looking and translating the nice dutch text: It will be blocked because of some printer restrictions. The USB printer is not on the list of allowed devices!
6.Digger deeper
When you want to monitor if the restrictions are configured on the device itself, its best to just open the local registry and open this key
You will notice all the settings you configured in Intune are deployed to these registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall
When looking at this key, you will notice that there is a difference between blocking Hardware ID’s
And when you are blocking Device Instance ID’s
But how do these keys end up in here? Just like all settings in Intune, A CSP is responsible for it. SO let’s take a look at which one. Open this registry key to start digging.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\
Do you notice the ADMXInstanceData key? Let’s open that one now.
It has the same JSON content in it configured which you would do with a CSP.
OMA-URI:./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
DataType: String
7. Logging
Here comes the discussion…. Are we going to block removable storage/limit the use of removable storage or just allow it?
For each choice you make, you will need to make sure you don’t set and forget. You really need to know when someone is trying to attach a new removable storage device. So you need to monitor it, so go open your event log and go take a look at the Kernel-PnP event log
But what to do, when you are not blocking removable storage? Of course, you want to make sure you are logging all of those events. How are we going to make sure we are notified when someone successfully copied a file? MCAS! This is the way!
Like always, I have done a blog about this subject some time ago. Go out and read it if you are interested!
8.Removing/ Changing the policy
Removing the whole policy or removing the assignment in Intune will also make sure the settings are removed from the device!
But beware if you are changing an existing policy and you only remove the Hardware ID’s like below it will not remove the settings from the client
You will need to change the: Block hardware device installation by device identifiers to: not configured
And within a few minutes after syncing the device in Intune the whole register DenyDevicesIDS key is deleted
Conclusion
It really depends on the organization you are working for if you need to limit or block or allow and log these types of actions. It’s a good thing Microsoft has all the options available for us to start dancing and do our job!
If you want to read the previous Endpoint Security blogs:
Endpoint Security Series – Call4Cloud
And if you are not interested in the endpoint security blogs I still got some other blogs for you!
- May the Intune Suite be with You!
- I can only show you the Programs Entity, you’re the one that has to Device Query it!
- I have the 2024-03 update! Microsoft, Could you Config Refresh me?
- Keeping up with the EmmDeviceID And Config Refresh Bug
- When and how does a device sync with MMP-C (Next Gen Intune)”
I made a Device Control policy with the option “Block Removable Storage” on Yes with a Exclude group, but if I put the devices in the Exclude group the lock still stays on there. Have any experience with this?
Maybe add to the blog about this setting “Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria”.
Also, wildcards are not currently supported for Device and Instance ID’s (confirmed with case logged to Microsoft).
We are blocking GenCdRom, Teams phones and banking usb dongels are identified as “USBSTOR\CdRomGEMALTO_P” and “USBSTOR\CDROM&VEN_YEALINK&PROD_YUC&REV_0409” and another device “USBSTOR\CdRomHUAWEI__”. One issue where we need wildcards is that some devices append an additional value to the InstanceID that is unique to each computer which makes it near impossible to allow a unique key for all devices “USBSTOR\CDROM&VEN_YEALINK&PROD_YUC&REV_0409\8&315081E8&0&301110E020007770&0” the additional part is “\8&315081E8&0&301110E020007770&0”.
Hi, was reading this article but to me, it does not seem so fit my usecase.
We want to block all USB storage devices except a view trusted types.
Do you have any idea on how to do that with Intune ?
We have a customer migrated from another endpoint solution (ESET) to Intune with Defender for business (i..g Plan 1) (The MS Business Premium Package). They are really annoyed that you cannot temporarily allow a USB device for a user for instance for 10 minutes. Previously an admin could just remote it and allow a VIP to access their USB drive for a few mins.
What would be the quickest way to do this with Intune? Remote to their workstations, plug in the USB drive (that will be blocked), find the ID, create new policy, apply new policy to the user, wait for them to finish and then remove the policy? Wouldn’t the block policy override the allow policy anyway?