Blog Post

Microsoft Defender for Endpoint Blog
4 MIN READ

Announcing new removable storage management features on Windows

Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Nov 21, 2022

External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.

 

Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:

  • Gain writing access to specific removable storage devices
  • Use specific removable storage devices on specific machines
  • Gain read/write/execute access to specific files on removable storage devices
  • Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN

 

What’s new

 

Support for file parameters

We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.

For more details, please review Scenario 3 in our documentation found below:

 

Support for Azure AD machines or user group(s)

With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:

  • An admin who is looking to restrict removable storage device access for both users and their machines. An example of this would be only allowing specific users to interact with specific removable storage devices on a specific machine. In this case, the qualified user must only initiate an authorized removable storage device on an authorized machine.
  • An admin who is looking to use one policy for removable storage management, while using Sid and ComputerSid inside the policy to control which users or machine groups can access certain removable storage.

For details, please review our documentation found here: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions | Microsoft Learn.

 

Capturing a file as evidence on a network share

An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.

A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:

  • When an end user copies a file to an authorized removable storage device, device control will create a copy of the file as evidence on a network share.

Figure 1 - File information for removable storage event

 

Improvements to the removable storage access control investigation experience

After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:   

  • The removable storage access control event has been added into the machine timeline under Microsoft 365 security portal -> Devices -> Device page -> Timeline:

Figure 2 - Removable storage events on machine timeline page

 

  • When a file-level policy is triggered, the file path and name will be captured in the event and documented in the Advanced Hunting Device Control reports.
  • The Device Control report under security.microsoft.com -> Reports -> Device control – now receives updated data and visualizations in half the time. Reducing latency from 12 hours to 6 hours.

Figure 3 - Device control report

 

Please take a look at Protect your organization's data with device control | Microsoft Learn for more details.

 

Network location as a condition

In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.

 

For more information, see our documentation: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Learn.

 

 

We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.  

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today. 

 

Microsoft Defender for Endpoint team

Updated Nov 23, 2022
Version 2.0
  • mattolver's avatar
    mattolver
    Copper Contributor

    Is there any more documentation around "Capturing a file as evidence on a network share" ?

    I believe it is configured correctly but I am not seeing the audit details in Advance Hunting.

  • jaegerschnitzel's avatar
    jaegerschnitzel
    Copper Contributor

    It would be great to add a few more filters for the Device Control report. For example filtering for device name or user name would be great 🙂

  • PJR_CDF's avatar
    PJR_CDF
    Iron Contributor

    Tewang_Chen 

     

    In the Support for file parameters section your links to the documentation are the wrong way round - Intune link is for GPO and vice versa.

     

    You also you mention a "scenario 4" - the docs have not yet been updated to reflect this scenario yet (I still only show 3 scenarios)?