Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Block USB Drive by Serial Number

Copper Contributor
I would love to see the ability to block a USB drive by it's serial number in Defender.

When you see a USB storage device as the origin of a new threat introduced on the network it would be great to block it so it cannot continue to spread.

 

So far the only thing that works for me is:

  • Block by Class ID which blocks all devices within that class, for example all usbs.
  • Block all external storage

I would like to block based on serial number. That might be possible creating custom policies through Configuration policy.

 

Notes:

I do not want to block all USB drives. Auto USB actions already blocked. 

 

3 Replies

Hello @robarismail,

 

Please, check these articles: 

Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub

Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m...

 

We did it for several customers and it worked well.

 

"I do not want to block all USB drives. Auto USB actions already blocked." --- you can block only specific USB drives based on their HardwareID, SerialNumberId, etc.

 

Hello @mikhailf,

 

Thank you for the reply. In the article Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub they are creating 2 "group" XML files and 1 "policy" XML file."

 

* The first group is the Group XML that will specify the type of mass storage. 

* The second group it to modify the XML file for your approved USB list. - Why is this needed, I want to approve all besides the ones I want to block with serial number?

* The third file which is the policy file

 

Br,

Robar

This is only an example.
Based on the second link you can build another policy: Specify the type of mass storage, create a group with blocked USBs, and for that group configure the access (Block in your case).