Nov 01 2022 12:21 PM
When you see a USB storage device as the origin of a new threat introduced on the network it would be great to block it so it cannot continue to spread.
So far the only thing that works for me is:
I would like to block based on serial number. That might be possible creating custom policies through Configuration policy.
Notes:
I do not want to block all USB drives. Auto USB actions already blocked.
Nov 02 2022 12:48 AM
Hello @robarismail,
Please, check these articles:
Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub
We did it for several customers and it worked well.
"I do not want to block all USB drives. Auto USB actions already blocked." --- you can block only specific USB drives based on their HardwareID, SerialNumberId, etc.
Nov 02 2022 01:31 AM
Hello @mikhailf,
Thank you for the reply. In the article Block USB in Microsoft Defender for Endpoint and Intune - Microsoft Community Hub they are creating 2 "group" XML files and 1 "policy" XML file."
* The first group is the Group XML that will specify the type of mass storage.
* The second group it to modify the XML file for your approved USB list. - Why is this needed, I want to approve all besides the ones I want to block with serial number?
* The third file which is the policy file
Br,
Robar
Nov 02 2022 01:38 AM