External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.
Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:
We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.
For more details, please review Scenario 3 in our documentation found below:
With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:
For details, please review our documentation found here: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions | Micros...
An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.
A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:
Figure 1 - File information for removable storage event
After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:
Figure 2 - Removable storage events on machine timeline page
Figure 3 - Device control report
Please take a look at Protect your organization's data with device control | Microsoft Learn for more details.
In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.
For more information, see our documentation: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m....
We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.
Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.
Microsoft Defender for Endpoint team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.