Forum Discussion

effjaay's avatar
effjaay
MCT
Feb 01, 2022

DEVICE CONTROL USING ATTACK SURFACE REDUCTION

@all Who has successfully used ASR to Block Removable drives while still allowing several drives using their PID/VID Identifier

3 Replies

  • ambarishrh's avatar
    ambarishrh
    Iron Contributor
    Feb 06, 2022

    effjaay We recently had a one month long ticket regarding this (With Intune, Windows Engineering team and a lot more members from MS), finally ended up using OMA URI for blocking USB. Here are the settings:

     

    • From Endpoint.microsoft.com- devices-windows- configuration profiles
    • Create a new profile with Platform selected as "Windows 10 and later"
    • Profile type selected as "Templates" and then the template name "custom"
    • Under OMA-URI settings, add the following settings:
      First entry- This is to allow specific usb devices (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationallowinstallationofmatchingdeviceids)
      • Name: allow_usb 
      • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
      • Data type: String
      • Value: <enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1&#xF000;USBSTOR\DiskSMI_____USB_DISK________1100&#xF000;2&#xF000;USBSTOR\DiskVendorCoProductCode_____2.00&#xF000;3&#xF000;USBSTOR\CdRomImation_Slim_DVD____________"/>

        [The number 1 at the beginning of the value denotes the first device, number 2 as second device and so on]

        Second Entry- For accepting the layered block/allow policies (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationenableinstallationpolicylayering)
      • Name : applied_layered 
      • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
      • Value: <enabled/><data id="AllowDenyLayered" value="1"/>

        Third Entry- Block devices based on device classes (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
      • Name: prevent_installation
      • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
      • Data type: String
      • Value: <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e967-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}"/>

        Fourth Entry- For blocking mobile device but allow USB charging (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemovableStorageAccess::WPDDevices_DenyRead_Access_1)

      • Name: block_mobile
      • OMA-URI: ./Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice
      • Value: <enabled/><data id="Deny_Read" value="1"/>

     

     

     

Resources