Forum Discussion

robarismail's avatar
robarismail
Copper Contributor
Nov 01, 2022

Block USB Drive by Serial Number

I would love to see the ability to block a USB drive by it's serial number in Defender. When you see a USB storage device as the origin of a new threat introduced on the network it would be great ...
mikhailf's avatar
mikhailf
Iron Contributor
Nov 02, 2022

Hello robarismail,

 

Please, check these articles: 

Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub

Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Learn

 

We did it for several customers and it worked well.

 

"I do not want to block all USB drives. Auto USB actions already blocked." --- you can block only specific USB drives based on their HardwareID, SerialNumberId, etc.

 

robarismail's avatar
robarismail
Copper Contributor
Nov 02, 2022

Hello mikhailf,

 

Thank you for the reply. In the article Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub they are creating 2 "group" XML files and 1 "policy" XML file."

 

* The first group is the Group XML that will specify the type of mass storage. 

* The second group it to modify the XML file for your approved USB list. - Why is this needed, I want to approve all besides the ones I want to block with serial number?

* The third file which is the policy file

 

Br,

Robar

  • mikhailf's avatar
    mikhailf
    Iron Contributor
    Nov 02, 2022
    This is only an example.
    Based on the second link you can build another policy: Specify the type of mass storage, create a group with blocked USBs, and for that group configure the access (Block in your case).

Resources