External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.
Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:
- Gain writing access to specific removable storage devices
- Use specific removable storage devices on specific machines
- Gain read/write/execute access to specific files on removable storage devices
- Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN
What’s new
Support for file parameters
We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.
For more details, please review Scenario 3 in our documentation found below:
- Intune: Deploy and manage Removable Storage Access Control using Intune | Microsoft Learn
- Group policy: Deploy and manage Removable Storage Access Control using group policy | Microsoft Learn
Support for Azure AD machines or user group(s)
With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:
- An admin who is looking to restrict removable storage device access for both users and their machines. An example of this would be only allowing specific users to interact with specific removable storage devices on a specific machine. In this case, the qualified user must only initiate an authorized removable storage device on an authorized machine.
- An admin who is looking to use one policy for removable storage management, while using Sid and ComputerSid inside the policy to control which users or machine groups can access certain removable storage.
For details, please review our documentation found here: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions | Micros...
Capturing a file as evidence on a network share
An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.
A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:
- When an end user copies a file to an authorized removable storage device, device control will create a copy of the file as evidence on a network share.
Figure 1 - File information for removable storage event
Improvements to the removable storage access control investigation experience
After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:
- The removable storage access control event has been added into the machine timeline under Microsoft 365 security portal -> Devices -> Device page -> Timeline:
Figure 2 - Removable storage events on machine timeline page
- When a file-level policy is triggered, the file path and name will be captured in the event and documented in the Advanced Hunting Device Control reports.
- The Device Control report under security.microsoft.com -> Reports -> Device control – now receives updated data and visualizations in half the time. Reducing latency from 12 hours to 6 hours.
Figure 3 - Device control report
Please take a look at Protect your organization's data with device control | Microsoft Learn for more details.
Network location as a condition
In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.
For more information, see our documentation: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m....
We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.
Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.
Microsoft Defender for Endpoint team