Blog Post

Microsoft Defender for Endpoint Blog
7 MIN READ

Protect your removable storage and printers with Microsoft Defender for Endpoint

Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Jul 19, 2021
UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.   External devices such as USB and home printers ...
Updated Aug 26, 2021
Version 5.0
Device control
endpoint dlp
Marek_Dvorak_'s avatar
Marek_Dvorak_
Copper Contributor
Sep 16, 2021

Hello,

my previous post is lost somewhere in space so let me post it again.

 

First of all thank you for this functionality to block printers and removable mass storage with reporting to cloud console (advanced hunting).

 

Now my question and problem with implementing it:

- I have followed procedure on this page and also on MS DOC and GIT

- I have two xml files -> first for all removable mass storage as a Group and second with prohibit access policy (see below for both files)

- I have onboarded Windows 10 computer (20H2) with 4.18.2107 antimalware build as a workstation (no AD)

- I used gpedit.msc to use local GPO and located both parameters to set Group and Policy for device control

- I have both file located on local drive (e.g. C:\data\defender\usbblock\) and I put this path into both policies

- then from elevated CMD gpupdate /force

- the result is that I am still able to use USB mass storage

- I have changed in the GPO the path directly to file name and still the same => no blocking for USB mass storage

 

Group XML file:

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData -->
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>

 

Policy file:

<PolicyRule Id="{d2193a7f-ceec-4729-a72a-fe949639db55}">
<Name>Block removable storage and CdRom</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList></ExcludedIdList>
<Entry Id="{c1adfc3e-0347-4096-88c3-6e0777b2a15b}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>7</AccessMask>
</Entry>
<Entry Id="{fee5f127-951b-4ece-9196-fa1c9ff21678}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>6</AccessMask>
</Entry>
<Entry Id="{ad04437c-e279-41a3-8a1a-b76b7e35bce5}">
<Type>AuditDenied</Type>
<Options>1</Options>
<AccessMask>1</AccessMask>
</Entry>
</PolicyRule>

 

Can you help mi to solve the problem why it is not working to me?

 

Thank you

marek