Forum Discussion
effjaay
Feb 01, 2022Brass Contributor
DEVICE CONTROL USING ATTACK SURFACE REDUCTION
@all Who has successfully used ASR to Block Removable drives while still allowing several drives using their PID/VID Identifier
ambarishrh
Iron Contributor
effjaay We recently had a one month long ticket regarding this (With Intune, Windows Engineering team and a lot more members from MS), finally ended up using OMA URI for blocking USB. Here are the settings:
- From Endpoint.microsoft.com- devices-windows- configuration profiles
- Create a new profile with Platform selected as "Windows 10 and later"
- Profile type selected as "Templates" and then the template name "custom"
- Under OMA-URI settings, add the following settings:
First entry- This is to allow specific usb devices (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationallowinstallationofmatchingdeviceids)- Name: allow_usb
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- Data type: String
- Value: <enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1USBSTOR\DiskSMI_____USB_DISK________11002USBSTOR\DiskVendorCoProductCode_____2.003USBSTOR\CdRomImation_Slim_DVD____________"/>
[The number 1 at the beginning of the value denotes the first device, number 2 as second device and so on]
Second Entry- For accepting the layered block/allow policies (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationenableinstallationpolicylayering) - Name : applied_layered
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
- Value: <enabled/><data id="AllowDenyLayered" value="1"/>
Third Entry- Block devices based on device classes (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallationpreventinstallationofmatchingdevicesetupclasses) - Name: prevent_installation
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
- Data type: String
- Value: <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1{4d36e967-e325-11ce-bfc1-08002be10318}2{4d36e965-e325-11ce-bfc1-08002be10318}"/>
Fourth Entry- For blocking mobile device but allow USB charging (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemovableStorageAccess::WPDDevices_DenyRead_Access_1) - Name: block_mobile
- OMA-URI: ./Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice
- Value: <enabled/><data id="Deny_Read" value="1"/>
effjaay
Feb 10, 2022Brass Contributor
@Ambarish I got to also make it work using this MS Doc https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection?view=o365-worldwide