DEVICE CONTROL USING ATTACK SURFACE REDUCTION

Occasional Contributor

@all Who has successfully used ASR to Block Removable drives while still allowing several drives using their PID/VID Identifier

2 Replies

@effjaay We recently had a one month long ticket regarding this (With Intune, Windows Engineering team and a lot more members from MS), finally ended up using OMA URI for blocking USB. Here are the settings:

 

  • From Endpoint.microsoft.com- devices-windows- configuration profiles
  • Create a new profile with Platform selected as "Windows 10 and later"
  • Profile type selected as "Templates" and then the template name "custom"
  • Under OMA-URI settings, add the following settings:
    First entry- This is to allow specific usb devices (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#devicei...)
    • Name: allow_usb 
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • Data type: String
    • Value: <enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1&#xF000;USBSTOR\DiskSMI_____USB_DISK________1100&#xF000;2&#xF000;USBSTOR\DiskVendorCoProductCode_____2.00&#xF000;3&#xF000;USBSTOR\CdRomImation_Slim_DVD____________"/>

      [The number 1 at the beginning of the value denotes the first device, number 2 as second device and so on]

      Second Entry- For accepting the layered block/allow policies (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#devicei...)
    • Name : applied_layered 
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
    • Value: <enabled/><data id="AllowDenyLayered" value="1"/>

      Third Entry- Block devices based on device classes (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#devicei...)
    • Name: prevent_installation
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    • Data type: String
    • Value: <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e967-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e965-e325-11ce-bfc1-08002be10318}"/>

      Fourth Entry- For blocking mobile device but allow USB charging (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.RemovableStorageAccess::WPDDev...)

    • Name: block_mobile
    • OMA-URI: ./Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice
    • Value: <enabled/><data id="Deny_Read" value="1"/>