The fine balance between Device Control Policy & removable storage

Microsoft Defender for Endpoint Device Control protects against data loss by monitoring and controlling media use of removable storage devices and USB drives. It is part of the Attack Surface Reduction profiles which enables auditing, read, write or execute access to removable storage.

Once you enable Device Control policy, you can find the device control report in the Microsoft 365 security center.


However, please note that the device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list.

I recently came across a situation where there was a requirement for allowing the use of USB screen sharing solutions like Barco Clickshare. They are normally used in VC Meeting rooms and the process for activation requires plugging them into a laptop and running the application executable.

To ensure the use of such devices, you either disable the Device Control policy or simply create a whitelist. Creating a whitelist is obviously the desirable and recommended option.

You can whitelist using Device identifiers, device instance identifiers or setup class. Depending on the method of your deployment of the Device Control policy, these device identifiers or classes will need to be added accordingly. If you are using the GPO method, then you will need to create an XML for the policy rule. I am using Intune to configure the Device control policy so I am going to cover the process for the same.

We first need to identify the relevant device identifier, instance identifier or class for the device in question. There is no one solution that fits all and a lot will depend on which all devices your organization want to allow or block access to.

In my case, since I was dealing with multiple device ids, I decided to whitelist the setup class. There are multiple ways to extract the details. If your Defender policy is already enforced, then the easiest way I have found is by analyzing the events in the Microsoft 365 security center.

Head down to Reports->Device Control and click on View Details. Then click on filter and use the fields in the fly out screen to search for the events for the relevant device. In my case, I already know which device I intend to address so I am using the Device id field to filter for the events.



Class GUID 4d36e967-e325-11ce-bfc1-08002be10318 corresponds to DiskDrive. Adding this will allow whitelisting all devices falling under this category. Again, if this is something your organization is not ready to do, then I'll suggest to use individual device id identifiers instead.

If you are yet to enable the Device Control policy, then you can also manually pull the details. One way is to directly check in Device Manager, as shown below.


Another way is to run a PS script to pull the information.

Get-WmiObject Win32_PNPEntity | select name,classguid | sort-object classguid


Next step is to add the extracted class GUID in the Intune policy. See below.


Now we configure the use of removable storage itself. I am allowing reading of the content from the removable storage (by leaving it Not Configured in other words), but blocking the Write function to protect corporate data from being copied over to the removable storage.


Conclusion

Most organizations tighten the security on end user devices by prohibiting the use of removable storage. However, with the advancement in technology, VC meeting rooms for example where third party screen sharing solutions are being implemented, organizations will feel the need to fine tune their security policies to allow the use of certain devices. Luckily, there are options available within Device Control policy which allows flexibility in addressing such requirements. 

Until next time..

References


Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune