MDE Device Control – Leveraging Reusable Settings in Intune
Published Aug 21 2023 08:47 AM 15.3K Views

Introduction 

Hello everybody! We are Jorge Miguel Ferreira and Sebastian Werner and we’re consultants at Microsoft. This blog post will show you how to set up Microsoft Defender for Endpoint (MDE) Device Control Removable Storage Access Control (LINK Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m...). 

 

There are many ways of configuring this feature, such as GPOs, custom OMA-URIs and Intune, specifically using the new reusable settings feature in the Attack Surface Reduction (ASR) rules. This blog post will focus on the new ASR rules in Intune. 

Note: this is not about controlling device installation (that is covered in this LINK: Microsoft Defender for Endpoint Device Control Device Installation). In this blog, we’ll only cover removable storage access control. 

 

We will cover some common scenarios, such as: 

  1. Scenario 1 - Blocking write access to all removable storage for all users with exceptions for specific removable storage 
  2. Scenario 2 - Blocking write access to all removable storage for specific users groups on specific machine groups (e.g. specialized hardware) 
  3. Scenario 3 - Block read and write access to specific devices 
  4. Scenario 4 – Block CD/DVDs 

 

Prerequisites 

As of July 2023, for this to work, you will need to have access to a machine where the following conditions are met: 

  • a supported version of Windows 10 or Windows 11 (in our lab we used Windows 22H2 July 2023 CU) 

 

General information 

In MDE, we can match devices against various identifiers. This allows for both either very broad targeting, when using PrimaryId (RemovableMediaDevices, CdRomDevices, WpdDevices or PrinterDevices) or granular targeting when using IDs like DeviceId.  

You can find a list of supported IDs to match here: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m... 

We will use a number of these IDs in the following examples. 

  

Now let’s deep dive in our scenarios: 

Scenario 1 - Blocking write access to all removable storage for all users with exceptions for specific removable storage 

 

For this scenario, the first thing we need is to create multiple reusable settings to match both all removable storage devices as well as the specific devices for the exceptions. 

Start by navigating to the ASR section in Endpoint Security in Intune. From here, create the first reusable settings that will match All Removable Storage [RemovableMediaDevices]:  

Jorge_Miguel_Ferreira_0-1692631033611.png

 

 

Jorge_Miguel_Ferreira_1-1692631033613.png

 

 

Jorge_Miguel_Ferreira_2-1692631033615.png

 

 

Jorge_Miguel_Ferreira_3-1692631033619.png

 

 

Jorge_Miguel_Ferreira_4-1692631033621.png

 

Now we will create a second Reusable Setting that will match our test USB pen, that has the following FriendlyNameId: USB DISK 2.0 USB Device. 

Note that you can filter by many different properties and you need to identify which is the most correct for your scenario. 

 

Jorge_Miguel_Ferreira_5-1692631353717.png

 

 

After creating both Reusable Settings we will have the following: 

Jorge_Miguel_Ferreira_6-1692631353719.png

 

Once the reusable settings are set up, we can start creating the ASR policy. Create a new ASR policy for Device Control and give it a name. 

Jorge_Miguel_Ferreira_7-1692631353721.png

 

 

Jorge_Miguel_Ferreira_8-1692631353723.png

 

 

Scroll all the way to the bottom of the configuration, this is where you can apply the reusable settings you previously created. You can choose to either include or exclude based on the reusable settings. To block all removable storage and exclude specific devices, set up a policy like this: 

Jorge_Miguel_Ferreira_9-1692631353725.png

 

 Click on the option below Included ID and select the reusable setting that covers all the Removable Storage - in our case All Removable Storage. 

Jorge_Miguel_Ferreira_10-1692631353729.png

 

Click on the option below Excluded ID and select the reusable setting of the Removable Storage you want to exclude - in our case EMTEC USB drive. 

  

Jorge_Miguel_Ferreira_11-1692631353734.png

 

Click on the option + Edit Entry and fill it like in the picture below  

 

Jorge_Miguel_Ferreira_12-1692631353736.png

 

 We continued the configuration of the policy, applying it to a machine group that contains our test Windows 10 device. 

 

Result of Scenario 1 

With the policy we created, we only allow to write data to the EMTEC USB drive.   

Jorge_Miguel_Ferreira_13-1692631353743.png

 

 Any other device with a different FriendlyNameId will not be allowed to write data to it. 

Jorge_Miguel_Ferreira_14-1692631353752.png

 

Scenario 2 - Blocking write access to all removable storage for specific user groups on specific machine groups (e.g. specialized hardware) 

 

Just like in scenario 1, start by creating a reusable settings to match all removable storage devices (in our case we added in the Included ID  the reusable setting All Removable Storage). 

Jorge_Miguel_Ferreira_15-1692631607723.png

 

 For this scenario we don’t want to exclude anything so nothing is configured in the Excluded ID. 

 

When applying the reusable setting in the ASR, notice the field Sid and Computer Sid you can set per entry. When you do not set this, the setting will apply to all users and all devices that are in scope for the ASR policy. Using the two SID fields allows you to filter the assignment to specific users, groups and/or devices. Even though it says SID, you can either use the SID of an AD object or alternatively the object ID of an Azure AD object.  

 

You can get the object ID for any AAD user, group or device by navigating to the AAD portal, search for the user/group/device you want to include in the policy and grab the object ID from the details view of the object. 

 

For our example we got the Sid of a specific user and we denied Write Permissions and allowed Read and Execute (for that specific user). 

Jorge_Miguel_Ferreira_16-1692631607726.png

 

We continued the configuration of the policy applying it to a machine group that contains our test Windows 10 device. 

 

Result of Scenario 2 

With this policy, the user configured in the Sid option (in this case Debra Berger) on the test Windows 10 device cannot write to any Removable Storage. Other users on the same device are unaffected. 

Jorge_Miguel_Ferreira_17-1692631607734.png

 

Scenario 3 - Block read and write access to specific devices 

 

For this scenario, we can reuse the USB thumb drive reusable setting from scenario 1, we only need to change the ASR rule to block read, write, and execute for this specific removable storage. 

Jorge_Miguel_Ferreira_18-1692631756194.png

 

 

Jorge_Miguel_Ferreira_19-1692631756197.png

Result of Scenario 3 

With this policy, no user can read/write to the EMTEC USB drive on the test Windows device. All other Removable storage devices would work just fine. 

Jorge_Miguel_Ferreira_20-1692631756201.png

 

Scenario 4 - Block access to CD/DVDs 

 

For this scenario, the first thing we need is to create reusable settings to match the CdRomDevices. 

Jorge_Miguel_Ferreira_21-1692631810256.png

 

Then create an ASR rule to block read, write, and execute for the CD/DVD Devices reusable setting. In the entry we have the following: 

Jorge_Miguel_Ferreira_22-1692631810258.png

 

Apply it to the devices in scope for the test (in our test all devices). 

 

Result of Scenario 4 

 

With this policy, no user can access CD/DVD devices (including ISO files mounted in Windows Explorer). 

Jorge_Miguel_Ferreira_23-1692631810261.png

 

Jorge_Miguel_Ferreira_24-1692631810267.png

 

Troubleshooting information 

To figure out if the newest version of your policy has been installed/applied on the device, there’s one registry key that can help in troubleshooting: 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ 

 

In this registry key there are 2 REG_SZ that contain the PolicyGroups and PolicyRules applied.  

 

Those entries hold the effective groups configuration that applies to the device. The second REG_SZ stores the effective policy for removable storage access control. Both keys hold the configuration in XML format. If you export the key you’ll get the following: 

 

Windows Registry Editor Version 5.00 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] 

"PolicyGroups"="<PolicyGroups> 
<Group Id=\"{6e4d54dd-03cb-45aa-85c7-fc291c7b02b0}\"> 
<MatchType>MatchAny</MatchType> 
<DescriptorIdList> 
<PrimaryId>CdRomDevices</PrimaryId> 
</DescriptorIdList> 
</Group></PolicyGroups> 
" 

"PolicyRules"="<PolicyRules> 
<PolicyRule Id=\"{894c911f-53cc-4a56-af14-56e014c7fb34}\"> 
<Name>Block All CD/DVDs</Name> 
<IncludedIdList> 
<GroupId>{6e4d54dd-03cb-45aa-85c7-fc291c7b02b0}</GroupId> 
</IncludedIdList> 
<Entry Id=\"{b156989e-4aa7-4a94-a452-03c01386d3a3}\"> 
<Type>Deny</Type> 
<Options>0</Options> 
<AccessMask>7</AccessMask> 
</Entry> 
</PolicyRule></PolicyRules> 

" 
 

Conclusion 

As seen in the examples above it’s simple to configure now Device Control policies via Intune with this new option. And the possibilities are very extensive. 

 

Additional references 

  

 

 

 

 

2 Comments
Version history
Last update:
‎Aug 21 2023 11:51 AM
Updated by: