New device control capabilities to manage removable storage media access in Microsoft Intune
Published Oct 31 2022 09:30 AM 10.3K Views

By: Laura Arrizza – Product Manager | Microsoft Intune

 

Intune is excited to announce new device control capabilities that allows greater flexibility for enhanced endpoint security. This feature allows IT admins to manage access and use of removable storage devices, such as USB and solid-state drives, on Intune-managed devices. Admins will be able to configure the allow, block, or auditing permissions to read, write, and execute access to specific removable storage devices, enabling scenarios like allowing only authorized users to have write access to a set of authorized USBs or preventing read access to specific removable storage for specific user groups on a shared PC.

 

To use this feature, customers can target and configure their device control policies for Windows 10 and later and that have the latest anti-malware client version. The settings leverage Microsoft Defender for Endpoint detailed in Microsoft Defender for Endpoint Device Control Removable Storage Access Control.

 

Create a reusable setting group

To begin, admins will need to set up a reusable setting group. The reusable setting group allows for the same settings to be applied across multiple devices. To configure reusable settings, navigate to the Endpoint Security pane and select the Attack surface reduction section in the Endpoint Manager admin center. There will be a new tab available to manage “Reusable setting groups.” You will see groups of removable storage media that can later be referenced when defining the device control policy. The tab also shows existing groups and the number of device control policies that are inheriting the group properties.

 

A screenshot of the Attack surface reduction setup on the Endpoint security pane in Intune.A screenshot of the Attack surface reduction setup on the Endpoint security pane in Intune.

 

To create a new reusable setting group, select Add and give the setting group a name and description. Next, define the list of removable storage media. Up to 100 entries can be listed in a single reusable setting group. Each removable storage device can be given a name and leverage any of the device properties to reference it. To find the property value for a given media, right-click on it in Device Manager and select Properties to view the removable storage device information. Once the set of media has been defined, you can choose the relationship of how multiple device properties are used via the “Match type” setting.

 

A screenshot of configuring reusable settings in the Endpoint Manager admin center.A screenshot of configuring reusable settings in the Endpoint Manager admin center.

Create a new device control policy

After the reusable group has been saved and successfully created, the admin can create a new device control policy, which now includes the option to configure the removable storage access control settings.

 

To begin, name the setting instance by navigating to Endpoint security > Attack surface reduction > Create policy, “Name the setting”. Select the reusable setting group(s) that contains removable storage media to either include or exclude from the defined access control role. Then, Edit entry and define each access control instance. Name the setting instance then select the allow, prevent, or auditing action behavior. Choose the level of access and scope the settings to a specific user or device group, as desired. Multiple entries can be added, allowing for flexibility and granular control.

 

A screenshot of configuring a profile in the Attack surface reduction option in Intune.A screenshot of configuring a profile in the Attack surface reduction option in Intune.

 

Once complete, admins can target the policy using the Assignments tab. If any changes need to be made to the reusable setting groups, the linked policy will inherit them.

 

For customers who have access to the Microsoft 365 Defender portal with E5 reporting subscription , audit events for covered access will appear in advanced hunting reports if this has been configured in the policy.

 

Example query script for event auditing.Example query script for event auditing.

 

A screenshot of the Microsoft 365 Defender portal with example audit events.A screenshot of the Microsoft 365 Defender portal with example audit events.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

12 Comments
Version history
Last update:
‎Oct 27 2022 05:07 PM
Updated by: