Protect your removable storage and printers with Microsoft Defender for Endpoint

Published Jul 19 2021 11:07 AM 7,554 Views
Microsoft

UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.

 

External devices such as USB and home printers are commonplace tools needed to complete daily business operations. These devices help employee productivity, but also pose a threat to enterprise data and serve as a potential entry point for malware and viruses. The move to remote work due to COVID-19 over the last year has raised the risk to another level.

 

End user activities represent one of the most common threat vectors and Microsoft Defender for Endpoint brings a compelling story for organizations looking to reduce their security exposure associated with removable media and printing.

 

We are excited to announce new device control capabilities in Microsoft Defender for Endpoint to secure removable storage scenarios on Windows and macOS platforms and offer an additional layer of protection for printing scenarios. These new device control capabilities further reduce the potential attack surface on user’s machines and safeguard organizations against malware and data loss in removable storage media scenarios.

 

Overview

 

Feature Availability Documentation

Removable storage access control on Windows

General Availability (Defender version 4.18.2106 or later)

Removable storage access control

Removable storage protection on Mac

General Availability (Defender (Mac) version 101.34.20 or later)

Device control for macOS

Printer protection

General Availability (Windows 1809, 1909, 2004 or later)

Printer protection on Windows

 

What’s new

 

Removable storage access control on Windows

We are bringing removable storage access control capabilities on Windows to complement our existing device control protection in scenarios such as Device Installation, removable storage Endpoint DLP, and removable storage BitLocker.

 

The new feature allows to Audit/Allow/Prevent Read, Write, or Execute access to removable storage based on various device properties, e.g., Vendor ID, Serial Number, Friendly Name, with or without an exclusion.

 

Removable storage protection on Mac

We also recently introduced removable storage protection capabilities on Mac. USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies. You can find more details in our Mac USB storage device control blog.

 

  • The capability supports Audit and Block enforcement levels.
  • USB device access can be set to Read, Write, Execute, No access.
  • To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.
  • The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.

 

Printer protection on Windows

The new printer protection feature allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This adds an additional layer of security and data protection for work from home and remote work scenarios.

 

Getting started

The next few sections will go over how to get started deploying and using the new device control capabilities.

 

How to deploy removable storage access control on Windows

Removable storage access control policies can be applied for a user or machine via GPO (group policy object). The feature includes group configuration policy and access control policy.

 

For example, here is the most common scenario: Prevent Write and Execute access to all but allow specific approved USBs.

Step 1: Create groups

  • Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group 9b28fae8-72f7-4267-a1a5-685f747a7146 in the sample Any Removable Storage and CD-DVD Group.xml file.
  • Group 2: Approved USBs based on device properties. An example for this use case is: Instance ID – Group 65fa649a-a111-4912-9294-fb6337a25038 in the sample Approved USBs Group.xml file.

Step 2: Create policy

 

 

Deploy policy via Group Policy

  1. Combine all groups within <Groups> </Groups> into one xml file.

The following image illustrates the example of Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs.

Tewang_Chen_0-1626453194255.png

 

 

  1. Combine all rules within <PolicyRules> </PolicyRules> into one xml file.

If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.

 

The following image illustrates the usage of SID property, and an example of Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs.

Tewang_Chen_1-1626453287080.png

 

 

  1. Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Device Control: ‘Define device control policy groups’ and ‘Define device control policy rules’. If you cannot find the policy configuration UX in the Group Policy, you can download the WindowsDefender.adml and WindowsDefender.admx file by clicking 'Raw' and 'Save as'.

The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.

 

Here is an example of configuring policy on Group Policy:

Tewang_Chen_2-1626453320757.png

 

 

View device control data in Microsoft Defender for Endpoint

The policy events can be viewed in Microsoft 365 Defender and the Microsoft Defender Security Center via advanced hunting.

Here is an advanced hunting query example:

 

Tewang_Chen_3-1626453367501.png

 

 

For more information, see Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs.

 

 

How to protect removable storage on Mac

To learn more about Mac USB storage device control, refer to our recent Mac USB storage device control blog. For a more in-depth overview of this capability and step by step guidance on configuring USB device control policies on macOS, refer to our Mac USB device control public documentation.

 

View Mac device control data in Microsoft Defender for Endpoint

USB device mount/unmount events on Mac devices can be viewed in Microsoft 365 Defender and in the Microsoft Defender Security Center via advanced hunting and in the device timeline.

 

Here is an advanced hunting query example:

 

DeviceEvents

    | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"

    | where DeviceId == "<device ID>"

 

And that is how the above advanced hunting query looks like in the security center:

Tewang_Chen_4-1626453401628.png

 

Here is an example of Mac USB device control event in the device timeline page:

Tewang_Chen_5-1626453427502.png

 

 

How to deploy printer protection on Windows

To deploy printer protection on Windows, you can apply the policy for users or machines via GPO or Intune/OMA-URI.

 

Deploy policy via Intune OMA-URI

For Intune, currently printer protection supports Open Mobile Alliance Uniform Resource Identifier (OMA-URI) setting (Microsoft Endpoint Manager admin center: Devices -> Configuration profiles -> Create profile -> Platform: Windows 10 and later; Profile type: Templates -> Custom) only.

 

Block people from printing via any non-corporate printer

  • Apply policy over machine:
    • ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
  • Apply policy over user:
    • ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser

The CSP support string Data type with Value: 

Tewang_Chen_6-1626453462676.png

 

 

Allow specific approved USB printers

  • Apply policy over machine:
    • ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
  • Apply policy over user:
    • ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser

The CSP support string Data type with approved USB printer VID/PID via ‘ApprovedUsbPrintDevices’ property and the property supports multiple VID/PIDs via comma. Currently does not support wildcard.

 

The following is a policy allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872 - <enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>:

Tewang_Chen_7-1626453565826.png

 

 

Deploy policy via Group Policy

Block people from printing via any non-corporate printer

  • Apply policy over machine:
    • Computer Configuration > Administrative Templates > Printer: Enable Device control Printing Restrictions
  • Apply policy over user:
    • User Configuration > Administrative Templates > Control Panel > Printers: Enable Device control Printing Restrictions

Following is an example of configuring the policy in Group Policy:

Tewang_Chen_8-1626453596023.png

 

 

Allow specific approved USB printers

  • Apply policy over machine:
    • Computer Configuration > Administrative Templates > Printer: List of Approved USB-connected print devices
  • Apply policy over user:
    • User Configuration > Administrative Templates > Control Panel > Printers: List of Approved USB-connected print devices

Following is an example allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872:

Tewang_Chen_9-1626453625977.png

 

 

View device control data in Microsoft Defender for Endpoint

The policy events can be viewed in Microsoft 365 Defender and the Microsoft Defender Security Center via advanced hunting.

Here is an advanced hunting query example:

Tewang_Chen_10-1626453655550.png

 

 

For more information, see our documentation: Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs

 

 

We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.  

 

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today. 

 

Microsoft Defender for Endpoint team

9 Comments
Visitor

Hi there, the example that is provided for the device control via group policy has multiple ‘policy rule IDs’. Which looks good for multiple ‘whitelist’ permission AD groups (Sids). E.g.  USB group 1, USB group 2, camera users, CDwriter etc. Can this be achieved in OMA-URI? As it looks like each ‘policy rule ID’ needs a separate OMA-URI profile, as each ‘policy rule ID’ makes up part of the OMA-URI line in the setup in Intune. In which case, what is the precedence mechanic? If a user is in multiple AD groups, which policy applies? E.g. a USB and CDwriter user. And what is the precedence for conflicts for the group policy XML? First ‘policy rule ID’ in the xml wins for example?

Cheers! Paul

Microsoft

@Apemantus , to your questions:

  1. Can this be achieved in OMA-URI? -> via OMA-URI, you do not need to combine those all groups into one Groups xml or one PolicyRules xml. one OMA-URI one Group xml or one PolicyRule xml.
  2. what is the precedence mechanic? -> First, you should not have multiple policy rules for same the same USB for same user. If you have, you should combine those policy rules into one PolicyRule xml. Within the PolicyRule xml file, Device control will apply the first Entry matching condition. For example, if the first Entry is Allow Read, and the second Entry is Block Read, Read a USB will be Allowed.
  3. If a user is in multiple AD groups, which policy applies? -> Same as #2, Device control will apply the first Entry meeting condition. For example, if a user is under AD_Sid_group_A and AD_Sid_group_B, and for a CD/DVD PolcyRule, the first Entry is Block AD_Sid_group_D Write access, Block AD_Sid_group_A Execute access, Allow AD_Sid_group_B Write access. Since the user is under AD_Sid_group_A and AD_Sid_group_B but not AD_Sid_group_D, Write access will be Allowed and Execute will be Blocked.

 

Feel free to contact me if you still have question.

Senior Member

Hi 

Does this generate any notification of any sort when the block action is executed e.g. toast system generated toast notification.

Microsoft

@Olamidefountview, yes, it is more secure this way, no matter it is system or enduser trying to Write to a USB or execute a file on USB, we should enforce the policy and capture the event. Let me know if you have exception use case.

Occasional Visitor

Hello,

my previous post is lost somewhere in space so let me post it again.

 

First of all thank you for this functionality to block printers and removable mass storage with reporting to cloud console (advanced hunting).

 

Now my question and problem with implementing it:

- I have followed procedure on this page and also on MS DOC and GIT

- I have two xml files -> first for all removable mass storage as a Group and second with prohibit access policy (see below for both files)

- I have onboarded Windows 10 computer (20H2) with 4.18.2107 antimalware build as a workstation (no AD)

- I used gpedit.msc to use local GPO and located both parameters to set Group and Policy for device control

- I have both file located on local drive (e.g. C:\data\defender\usbblock\) and I put this path into both policies

- then from elevated CMD gpupdate /force

- the result is that I am still able to use USB mass storage

- I have changed in the GPO the path directly to file name and still the same => no blocking for USB mass storage

 

Group XML file:

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData -->
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>

 

Policy file:

<PolicyRule Id="{d2193a7f-ceec-4729-a72a-fe949639db55}">
<Name>Block removable storage and CdRom</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList></ExcludedIdList>
<Entry Id="{c1adfc3e-0347-4096-88c3-6e0777b2a15b}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>7</AccessMask>
</Entry>
<Entry Id="{fee5f127-951b-4ece-9196-fa1c9ff21678}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>6</AccessMask>
</Entry>
<Entry Id="{ad04437c-e279-41a3-8a1a-b76b7e35bce5}">
<Type>AuditDenied</Type>
<Options>1</Options>
<AccessMask>1</AccessMask>
</Entry>
</PolicyRule>

 

Can you help mi to solve the problem why it is not working to me?

 

Thank you

marek

Community Manager

@Marek_Dvorak_ Just as a heads-up, your post was not lost, but you would have received a notification upon posting that it was put in the approval queue (an automated spam quarantine), which we check manually on a daily basis and have since approved your posts.

 

Sorry if you missed that notification. I am happy to remove one of these posts if you like, but I wasn't sure if they were entirely duplicative or not. 

Occasional Visitor

Gi @Eric Starker thank you for information. Both posts are tight together and you can keep the second one, please.

 

Thank you

Marek

Community Manager

Sure thing! I've removed the first one.

Occasional Visitor

@Marek_Dvorak_ 

Please update if you happen to solve your problem.  I am testing through a similar scenario with local policy and just can't seem to get this to work at all.

 

Onboarded into Defender for Endpoint

20H2

4.18.2108.7

group and policy XMLs on local drive

%3CLINGO-SUB%20id%3D%22lingo-sub-2324806%22%20slang%3D%22en-US%22%3EProtect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2324806%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUPDATE%3A%26nbsp%3BThe%20Printer%20protection%20is%20now%20General%20Availability.%20We%20have%20backported%20the%20feature%2C%20so%20now%20it%20supports%26nbsp%3BWindows%201809%2C%201909%2C%202004%20or%20later.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExternal%20devices%20such%20as%20USB%20and%20home%20printers%20are%20commonplace%20tools%20needed%20to%20complete%20daily%20business%20operations.%20These%20devices%20help%20employee%20productivity%2C%20but%20also%20pose%20a%20threat%20to%20enterprise%20data%20and%20serve%20as%20a%20potential%20entry%20point%20for%20malware%20and%20viruses.%20The%20move%20to%20remote%20work%20due%20to%20COVID-19%20over%20the%20last%20year%20has%20raised%20the%20risk%20to%20another%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnd%20user%20activities%20represent%20one%20of%20the%20most%20common%20threat%20vectors%20and%20Microsoft%20Defender%20for%20Endpoint%20brings%20a%20compelling%20story%20for%20organizations%20looking%20to%20reduce%20their%20security%20exposure%20associated%20with%20removable%20media%20and%20printing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20excited%20to%20announce%20new%20device%20control%20capabilities%20in%20Microsoft%20Defender%20for%20Endpoint%20to%20secure%20removable%20storage%20scenarios%20on%20Windows%20and%20macOS%20platforms%20and%20offer%20an%20additional%20layer%20of%20protection%20for%20printing%20scenarios.%20These%20new%20device%20control%20capabilities%20further%20reduce%20the%20potential%20attack%20surface%20on%20user%E2%80%99s%20machines%20and%20safeguard%20organizations%20against%20malware%20and%20data%20loss%20in%20removable%20storage%20media%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--469730501%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%20id%3D%22toc-hId--408812491%22%3E%3CSPAN%3EOverview%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22940%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22300px%22%3E%3CSTRONG%3EFeature%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%20width%3D%22475px%22%3E%3CSTRONG%3EAvailability%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%20width%3D%22240px%22%3E%3CSTRONG%3EDocumentation%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22187%22%3E%3CP%3ERemovable%20storage%20access%20control%20on%20Windows%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22138%22%3E%3CP%3EGeneral%20Availability%20(Defender%20version%204.18.2106%20or%20later)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22151%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fdevice-control-removable-storage-access-control%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERemovable%20storage%20access%20control%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22137%22%3E%3CP%3ERemovable%20storage%20protection%20on%20Mac%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22138%22%3E%3CP%3EGeneral%20Availability%20(Defender%20(Mac)%20version%20101.34.20%20or%20later)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22201%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fmac-device-control-overview%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDevice%20control%20for%20macOS%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22137%22%3E%3CP%3EPrinter%20protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22138%22%3E%3CP%3EGeneral%20Availability%20(Windows%201809%2C%201909%2C%202004%20or%20later)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22201%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fprinter-protection%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPrinter%20protection%20on%20Windows%3C%2FA%3E%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2017782332%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%20id%3D%22toc-hId-2078700342%22%3E%3CSPAN%3EWhat%E2%80%99s%20new%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId--1586623490%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%20id%3D%22toc-hId--1525705480%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-900889343%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%20id%3D%22toc-hId-961807353%22%3E%3CSPAN%3ERemovable%20storage%20access%20control%20on%20Windows%20%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EWe%20are%20bringing%20removable%20storage%20access%20control%20capabilities%20on%20Windows%20to%20complement%20our%20existing%20device%20control%20protection%20in%20scenarios%20such%20as%20Device%20Installation%2C%20removable%20storage%20Endpoint%20DLP%2C%20and%20removable%20storage%20BitLocker.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20feature%20allows%20to%20%3CEM%3EAudit%2FAllow%2FPrevent%3C%2FEM%3E%20Read%2C%20Write%2C%20or%20Execute%20access%20to%20removable%20storage%20based%20on%20various%20device%20properties%2C%20e.g.%2C%20Vendor%20ID%2C%20Serial%20Number%2C%20Friendly%20Name%2C%20with%20or%20without%20an%20exclusion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--906565120%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%20id%3D%22toc-hId--845647110%22%3ERemovable%20storage%20protection%20on%20Mac%3C%2FH3%3E%0A%3CP%3EWe%20also%20recently%20introduced%20removable%20storage%20protection%20capabilities%20on%20Mac.%20USB%20storage%20device%20control%20for%20Mac%20is%20designed%20to%20regulate%20the%20level%20of%20access%20given%20to%20external%20USB%20storage%20devices%20(including%20SD%20cards).%20The%20access%20level%20is%20controlled%20through%20custom%20policies.%20You%20can%20find%20more%20details%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fmac-updates-control-your-usb-devices-with-microsoft-defender-for%2Fba-p%2F2224439%22%20target%3D%22_blank%22%3EMac%20USB%20storage%20device%20control%20blog%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20capability%20supports%20Audit%20and%20Block%20enforcement%20levels.%3C%2FLI%3E%0A%3CLI%3EUSB%20device%20access%20can%20be%20set%20to%20Read%2C%20Write%2C%20Execute%2C%20No%20access.%3C%2FLI%3E%0A%3CLI%3ETo%20achieve%20a%20high%20degree%20of%20granularity%2C%20USB%20access%20level%20can%20be%20specified%20for%20Product%20ID%2C%20Vendor%20ID%2C%20and%20Serial%20Number.%3C%2FLI%3E%0A%3CLI%3EThe%20custom%20policy%20allows%20customization%20of%20the%20URL%20where%20user%20is%20redirected%20to%20when%20interacting%20with%20an%20end%20user%20facing%20%E2%80%9Cdevice%20restricted%E2%80%9D%20notification.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1580947713%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%20id%3D%22toc-hId-1641865723%22%3E%3CSPAN%3EPrinter%20protection%20on%20Windows%20%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EThe%20new%20printer%20protection%20feature%20allows%20you%20to%20block%20users%20from%20printing%20via%20a%20non-corporate%20network%20printer%20or%20non-approved%20USB%20printer.%20This%20adds%20an%20additional%20layer%20of%20security%20and%20data%20protection%20for%20work%20from%20home%20and%20remote%20work%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1570444609%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%20id%3D%22toc-hId-1631362619%22%3E%3CSPAN%3EGetting%20started%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%20class%3D%22GBodylist%22%3EThe%20next%20few%20sections%20will%20go%20over%20how%20to%20get%20started%20deploying%20and%20using%20the%20new%20device%20control%20capabilities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--237009854%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%20id%3D%22toc-hId--176091844%22%3E%3CSPAN%3EHow%20to%20deploy%20removable%20storage%20access%20control%20on%20Windows%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3ERemovable%20storage%20access%20control%20policies%20can%20be%20applied%20for%20a%20user%20or%20machine%20via%20GPO%20(group%20policy%20object).%20The%20feature%20includes%20group%20configuration%20policy%20and%20access%20control%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20here%20is%20the%20most%20common%20scenario%3A%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.%3C%2FP%3E%0A%3CP%3EStep%201%3A%20Create%20groups%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EGroup%201%3A%20Any%20removable%20storage%20and%20CD%2FDVD.%20An%20example%20of%20a%20removable%20storage%20and%20CD%2FDVD%20is%3A%20Group%209b28fae8-72f7-4267-a1a5-685f747a7146%20in%20the%20sample%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Ftree%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAny%20Removable%20Storage%20and%20CD-DVD%20Group.xml%3C%2FA%3E%20file.%3C%2FLI%3E%0A%3CLI%3EGroup%202%3A%20Approved%20USBs%20based%20on%20device%20properties.%20An%20example%20for%20this%20use%20case%20is%3A%20Instance%20ID%20%E2%80%93%20Group%2065fa649a-a111-4912-9294-fb6337a25038%20in%20the%20sample%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Ftree%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EApproved%20USBs%20Group.xml%3C%2FA%3E%20file.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EStep%202%3A%20Create%20policy%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EPolicy%201%3A%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.%20An%20example%20for%20this%20use%20case%20is%3A%20PolicyRule%20c544a991-5786-4402-949e-a032cb790d0e%20in%20the%20sample%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Ftree%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs%20.xml%3C%2FA%3E%20file.%3C%2FLI%3E%0A%3CLI%3EPolicy%202%3A%20Audit%20Write%20and%20Execute%20access%20to%20allowed%20USBs.%20An%20example%20for%20this%20use%20case%20is%3A%20PolicyRule%2036ae1037-a639-4cff-946b-b36c53089a4c%20in%20the%20sample%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Ftree%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScenario%201%20Audit%20Write%20and%20Execute%20access%20to%20approved%20USBs.xml%3C%2FA%3E%20file.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-453551620%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%20id%3D%22toc-hId-514469630%22%3E%3CSPAN%3EDeploy%20policy%20via%20Group%20Policy%3C%2FSPAN%3E%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3ECombine%20all%20groups%20within%20%3CGROUPS%3E%20%3C%2FGROUPS%3E%20into%20one%20xml%20file.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThe%20following%20image%20illustrates%20the%20example%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fdevice-control-removable-storage-access-control%3Fview%3Do365-worldwide%23scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScenario%201%3A%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_0-1626453194255.png%22%20style%3D%22width%3A%20600px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296431i9996165137CF9166%2Fimage-dimensions%2F600x246%3Fv%3Dv2%22%20width%3D%22600%22%20height%3D%22246%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_0-1626453194255.png%22%20alt%3D%22Tewang_Chen_0-1626453194255.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3ECombine%20all%20rules%20within%20%3CPOLICYRULES%3E%20%3C%2FPOLICYRULES%3E%20into%20one%20xml%20file.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIf%20you%20want%20to%20restrict%20a%20specific%20user%2C%20then%20use%20SID%20property%20into%20the%20Entry.%20If%20there%20is%20no%20SID%20in%20the%20policy%20Entry%2C%20the%20Entry%20will%20be%20applied%20to%20everyone%20login%20instance%20for%20the%20machine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20image%20illustrates%20the%20usage%20of%20SID%20property%2C%20and%20an%20example%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fdevice-control-removable-storage-access-control%3Fview%3Do365-worldwide%23scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScenario%201%3A%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_1-1626453287080.png%22%20style%3D%22width%3A%20592px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296432i0D872EE94E9501E4%2Fimage-dimensions%2F592x596%3Fv%3Dv2%22%20width%3D%22592%22%20height%3D%22596%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_1-1626453287080.png%22%20alt%3D%22Tewang_Chen_1-1626453287080.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3ESave%20both%20rule%20and%20group%20XML%20files%20on%20network%20share%20folder%20and%20put%20network%20share%20folder%20path%20into%20the%20Group%20Policy%20setting%3A%20Computer%20Configuration%20-%26gt%3B%20Administrative%20Templates%20-%26gt%3B%20Windows%20Components%20-%26gt%3B%20Microsoft%20Defender%20Antivirus%20-%26gt%3B%20Device%20Control%3A%20%E2%80%98Define%20device%20control%20policy%20groups%E2%80%99%20and%20%E2%80%98Define%20device%20control%20policy%20rules%E2%80%99.%20If%20you%20cannot%20find%20the%20policy%20configuration%20UX%20in%20the%20Group%20Policy%2C%20you%20can%20download%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Fblob%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%2FWindowsDefender.adml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindowsDefender.adml%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdatp-devicecontrol%2Fblob%2Fmain%2FRemovable%2520Storage%2520Access%2520Control%2520Samples%2FWindowsDefender.admx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindowsDefender.admx%3C%2FA%3E%20file%20by%20clicking%20'Raw'%20and%20'Save%20as'.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThe%20target%20machine%20must%20be%20able%20to%20access%20the%20network%20share%20to%20have%20the%20policy.%20However%2C%20once%20the%20policy%20is%20read%2C%20the%20network%20share%20connection%20is%20no%20longer%20required%2C%20even%20after%20machine%20reboot.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20of%20configuring%20policy%20on%20Group%20Policy%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_2-1626453320757.png%22%20style%3D%22width%3A%20613px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296433i58CE21223FDBE3E8%2Fimage-dimensions%2F613x524%3Fv%3Dv2%22%20width%3D%22613%22%20height%3D%22524%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_2-1626453320757.png%22%20alt%3D%22Tewang_Chen_2-1626453320757.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1353902843%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%20id%3D%22toc-hId--1292984833%22%3E%3CSPAN%3EView%20device%20control%20data%20in%20Microsoft%20Defender%20for%20Endpoint%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EThe%20policy%20events%20can%20be%20viewed%20in%20%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%3C%2FA%3E%20and%20the%20Microsoft%20Defender%20Security%20Center%20via%20advanced%20hunting.%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20advanced%20hunting%20query%20example%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_3-1626453367501.png%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296435iBABEE6D758B23251%2Fimage-dimensions%2F634x262%3Fv%3Dv2%22%20width%3D%22634%22%20height%3D%22262%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_3-1626453367501.png%22%20alt%3D%22Tewang_Chen_3-1626453367501.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fdevice-control-removable-storage-access-control%3Fview%3Do365-worldwide%23view-device-control-removable-storage-access-control-data-in-microsoft-defender-for-endpoint%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%20Device%20Control%20Printer%20Protection%20%7C%20Microsoft%20Docs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-309363792%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%20id%3D%22toc-hId-370281802%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1498090671%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%20id%3D%22toc-hId--1437172661%22%3E%3CSPAN%3EHow%20to%20protect%20removable%20storage%20on%20Mac%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3ETo%20learn%20more%20about%20Mac%20USB%20storage%20device%20control%2C%20refer%20to%20our%20recent%26nbsp%3B%3CA%20title%3D%22Mac%20USB%20storage%20device%20control%20blog%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fmac-updates-control-your-usb-devices-with-microsoft-defender-for%2Fba-p%2F2224439%22%20target%3D%22_blank%22%3EMac%20USB%20storage%20device%20control%20blog%3C%2FA%3E.%20For%20a%20more%20in-depth%20overview%20of%20this%20capability%20and%20step%20by%20step%20guidance%20on%20configuring%20USB%20device%20control%20policies%20on%20macOS%2C%20refer%20to%20our%26nbsp%3B%3CA%20title%3D%22Mac%20USB%20device%20control%20public%20documentation%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fmac-device-control-overview%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMac%20USB%20device%20control%20public%20documentation%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1118504881%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%20id%3D%22toc-hId-1179422891%22%3E%3CSPAN%3EView%20Mac%20device%20control%20data%20in%20Microsoft%20Defender%20for%20Endpoint%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EUSB%20device%20mount%2Funmount%20events%20on%20Mac%20devices%20can%20be%20viewed%20in%20Microsoft%20365%20Defender%20and%20in%20the%20Microsoft%20Defender%20Security%20Center%20via%20advanced%20hunting%20and%20in%20the%20device%20timeline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20advanced%20hunting%20query%20example%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EDeviceEvents%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7C%20where%20ActionType%20%3D%3D%20%22UsbDriveMount%22%20or%20ActionType%20%3D%3D%20%22UsbDriveUnmount%22%20or%20ActionType%20%3D%3D%20%22UsbDriveDriveLetterChanged%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7C%20where%20DeviceId%20%3D%3D%20%22%3CDEVICE%20id%3D%22%22%3E%22%3C%2FDEVICE%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20that%20is%20how%20the%20above%20advanced%20hunting%20query%20looks%20like%20in%20the%20security%20center%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_4-1626453401628.png%22%20style%3D%22width%3A%20642px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296436iBE0FAED48C1C5A69%2Fimage-dimensions%2F642x247%3Fv%3Dv2%22%20width%3D%22642%22%20height%3D%22247%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_4-1626453401628.png%22%20alt%3D%22Tewang_Chen_4-1626453401628.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20of%20Mac%20USB%20device%20control%20event%20in%20the%20device%20timeline%20page%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_5-1626453427502.png%22%20style%3D%22width%3A%20690px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296437i5548CB889B2E8416%2Fimage-dimensions%2F690x300%3Fv%3Dv2%22%20width%3D%22690%22%20height%3D%22300%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_5-1626453427502.png%22%20alt%3D%22Tewang_Chen_5-1626453427502.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--818032301%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%20id%3D%22toc-hId--757114291%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1669480532%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%20id%3D%22toc-hId-1730398542%22%3E%3CSPAN%3EHow%20to%20deploy%20printer%20protection%20on%20Windows%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3ETo%20deploy%20printer%20protection%20on%20Windows%2C%20you%20can%20apply%20the%20policy%20for%20users%20or%20machines%20via%20GPO%20or%20Intune%2FOMA-URI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--8891212%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%20id%3D%22toc-hId-52026798%22%3EDeploy%20policy%20via%20Intune%20OMA-URI%3C%2FH3%3E%0A%3CP%3EFor%20Intune%2C%20currently%20printer%20protection%20supports%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fcustom-settings-windows-10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOpen%20Mobile%20Alliance%20Uniform%20Resource%20Identifier%20(OMA-URI)%20setting%3C%2FA%3E%20(Microsoft%20Endpoint%20Manager%20admin%20center%3A%20Devices%20-%26gt%3B%20Configuration%20profiles%20-%26gt%3B%20Create%20profile%20-%26gt%3B%20Platform%3A%20Windows%2010%20and%20later%3B%20Profile%20type%3A%20Templates%20-%26gt%3B%20Custom)%20only.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBlock%20people%20from%20printing%20via%20any%20non-corporate%20printer%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApply%20policy%20over%20machine%3A%3CUL%3E%0A%3CLI%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FPrinters%2FEnableDeviceControl%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20policy%20over%20user%3A%3CUL%3E%0A%3CLI%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FPrinters%2FEnableDeviceControlUser%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20CSP%20support%20string%20Data%20type%20with%20Value%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_6-1626453462676.png%22%20style%3D%22width%3A%20615px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296438i37032D75F4849F02%2Fimage-dimensions%2F615x209%3Fv%3Dv2%22%20width%3D%22615%22%20height%3D%22209%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_6-1626453462676.png%22%20alt%3D%22Tewang_Chen_6-1626453462676.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAllow%20specific%20approved%20USB%20printers%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApply%20policy%20over%20machine%3A%3CUL%3E%0A%3CLI%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FPrinters%2FApprovedUsbPrintDevices%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20policy%20over%20user%3A%3CUL%3E%0A%3CLI%3E.%2FVendor%2FMSFT%2FPolicy%2FConfig%2FPrinters%2FApprovedUsbPrintDevicesUser%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20CSP%20support%20string%20Data%20type%20with%20approved%20USB%20printer%20VID%2FPID%20via%20%E2%80%98ApprovedUsbPrintDevices%E2%80%99%20property%20and%20the%20property%20supports%20multiple%20VID%2FPIDs%20via%20comma.%20Currently%20does%20not%20support%20wildcard.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20is%20a%20policy%20allowing%20printing%20if%20the%20USB%20printer%20VID%2FPID%20is%20either%2003F0%2F0853%20or%200351%2F0872%20-%26nbsp%3B%3CFONT%20color%3D%22%23333399%22%3E%3CEM%3E%3CENABLED%3E%3C%2FENABLED%3E%3CDATA%20id%3D%22%26quot%3BApprovedUsbPrintDevices_List%26quot%3B%22%20value%3D%22%26quot%3B03F0%2F0853%2C0351%2F0872%26quot%3B%2F%22%3E%3C%2FDATA%3E%3C%2FEM%3E%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_7-1626453565826.png%22%20style%3D%22width%3A%20583px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296440i2944FA4BDCE542C6%2Fimage-dimensions%2F583x596%3Fv%3Dv2%22%20width%3D%22583%22%20height%3D%22596%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_7-1626453565826.png%22%20alt%3D%22Tewang_Chen_7-1626453565826.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1816345675%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%20id%3D%22toc-hId--1755427665%22%3E%3CSPAN%3EDeploy%20policy%20via%20Group%20Policy%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EBlock%20people%20from%20printing%20via%20any%20non-corporate%20printer%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApply%20policy%20over%20machine%3A%3CUL%3E%0A%3CLI%3EComputer%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Printer%3A%20Enable%20Device%20control%20Printing%20Restrictions%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20policy%20over%20user%3A%3CUL%3E%0A%3CLI%3EUser%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Control%20Panel%20%26gt%3B%20Printers%3A%20Enable%20Device%20control%20Printing%20Restrictions%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFollowing%20is%20an%20example%20of%20configuring%20the%20policy%20in%20Group%20Policy%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_8-1626453596023.png%22%20style%3D%22width%3A%20577px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296441i063663A41D591912%2Fimage-dimensions%2F577x418%3Fv%3Dv2%22%20width%3D%22577%22%20height%3D%22418%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_8-1626453596023.png%22%20alt%3D%22Tewang_Chen_8-1626453596023.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAllow%20specific%20approved%20USB%20printers%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApply%20policy%20over%20machine%3A%3CUL%3E%0A%3CLI%3EComputer%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Printer%3A%20List%20of%20Approved%20USB-connected%20print%20devices%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EApply%20policy%20over%20user%3A%3CUL%3E%0A%3CLI%3EUser%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Control%20Panel%20%26gt%3B%20Printers%3A%20List%20of%20Approved%20USB-connected%20print%20devices%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFollowing%20is%20an%20example%20allowing%20printing%20if%20the%20USB%20printer%20VID%2FPID%20is%20either%2003F0%2F0853%20or%200351%2F0872%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_9-1626453625977.png%22%20style%3D%22width%3A%20599px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296442i466A6575BE481335%2Fimage-dimensions%2F599x433%3Fv%3Dv2%22%20width%3D%22599%22%20height%3D%22433%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_9-1626453625977.png%22%20alt%3D%22Tewang_Chen_9-1626453625977.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-671167158%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%20id%3D%22toc-hId-732085168%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1136287305%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%20id%3D%22toc-hId--1075369295%22%3E%3CSPAN%3EView%20device%20control%20data%20in%20Microsoft%20Defender%20for%20Endpoint%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EThe%20policy%20events%20can%20be%20viewed%20in%20%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Defender%3C%2FA%3E%20and%20the%20Microsoft%20Defender%20Security%20Center%20via%20advanced%20hunting.%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20advanced%20hunting%20query%20example%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tewang_Chen_10-1626453655550.png%22%20style%3D%22width%3A%20644px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296443iB2833C26364A7A0D%2Fimage-dimensions%2F644x232%3Fv%3Dv2%22%20width%3D%22644%22%20height%3D%22232%22%20role%3D%22button%22%20title%3D%22Tewang_Chen_10-1626453655550.png%22%20alt%3D%22Tewang_Chen_10-1626453655550.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%2C%20see%20our%20documentation%3A%20%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fprinter-protection%3Fview%3Do365-21vianet%26amp%3Bbranch%3Dpr-en-us-8086%23view-device-control-printer-protection-data-in-microsoft-defender-for-endpoint-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%20Device%20Control%20Printer%20Protection%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20excited%20to%20deliver%20these%20new%20device%20control%20functionalities%20to%20you.%20To%20experience%20these%20capabilities%20in%20public%20preview%2C%20we%20encourage%20you%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eturn%20on%20preview%20features%3C%2FA%3E%26nbsp%3Bfor%20Microsoft%20Defender%20for%20Endpoint%20today.%20As%20always%2C%20we%20welcome%20your%20feedback%20and%20look%20forward%20to%20hearing%20from%20you!%20You%20can%20submit%20feedback%20directly%20to%20our%20team%20through%20the%20portal.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EMicrosoft%20Defender%20for%20Endpoint%20is%20an%20industry-leading%2C%20cloud-powered%20endpoint%20security%20solution%20offering%20vulnerability%20management%2C%20endpoint%20protection%2C%20endpoint%20detection%20and%20response%2C%20and%20mobile%20threat%20defense%26nbsp%3Bin%20a%20single%20unified%20platform.%20With%20our%20solution%2C%20threats%20are%20no%20match.%20If%20you%20are%20not%20yet%20taking%20advantage%20of%20Microsoft%E2%80%99s%20unrivaled%20threat%20optics%20and%20proven%20capabilities%2C%E2%80%AF%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Fendpoint-defender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CEM%3Esign%20up%20for%20a%20free%20trial%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%E2%80%AFof%20Microsoft%20Defender%20for%20Endpoint%20today.%3C%2FEM%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EMicrosoft%20Defender%20for%20Endpoint%20team%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2324806%22%20slang%3D%22en-US%22%3E%3CP%3ENew%20device%20control%20capabilities%20help%20protect%20your%20removable%20storage%20and%20printers.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2324806%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice%20control%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEndpoint%20DLP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2706907%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2706907%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%20the%20example%20that%20is%20provided%20for%20the%20device%20control%20via%20group%20policy%20has%20multiple%20%E2%80%98policy%20rule%20IDs%E2%80%99.%20Which%20looks%20good%20for%20multiple%20%E2%80%98whitelist%E2%80%99%20permission%20AD%20groups%20(Sids).%20E.g.%20%26nbsp%3BUSB%20group%201%2C%20USB%20group%202%2C%20camera%20users%2C%20CDwriter%20etc.%20Can%20this%20be%20achieved%20in%20OMA-URI%3F%20As%20it%20looks%20like%20each%20%E2%80%98policy%20rule%20ID%E2%80%99%20needs%20a%20separate%20OMA-URI%20profile%2C%20as%20each%20%E2%80%98policy%20rule%20ID%E2%80%99%20makes%20up%20part%20of%20the%20OMA-URI%20line%20in%20the%20setup%20in%20Intune.%20In%20which%20case%2C%20what%20is%20the%20precedence%20mechanic%3F%20If%20a%20user%20is%20in%20multiple%20AD%20groups%2C%20which%20policy%20applies%3F%20E.g.%20a%20USB%20and%20CDwriter%20user.%20And%20what%20is%20the%20precedence%20for%20conflicts%20for%20the%20group%20policy%20XML%3F%20First%20%E2%80%98policy%20rule%20ID%E2%80%99%20in%20the%20xml%20wins%20for%20example%3F%3C%2FP%3E%3CP%3ECheers!%20Paul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2734565%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2734565%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399045%22%20target%3D%22_blank%22%3E%40Apemantus%3C%2FA%3E%26nbsp%3B%2C%20to%20your%20questions%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ECan%20this%20be%20achieved%20in%20OMA-URI%3F%20-%26gt%3B%20via%20OMA-URI%2C%20you%20do%20not%20need%20to%20combine%20those%20all%20groups%20into%20one%20Groups%20xml%20or%20one%20PolicyRules%20xml.%20one%20OMA-URI%20one%20Group%20xml%20or%20one%26nbsp%3BPolicyRule%20xml.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%20what%20is%20the%20precedence%20mechanic%3F%20-%26gt%3B%20First%2C%20you%20should%20not%20have%20multiple%20policy%20rules%20for%20same%20the%20same%20USB%20for%20same%20user.%20If%20you%20have%2C%20you%20should%20combine%20those%20policy%20rules%20into%20one%26nbsp%3BPolicyRule%20xml.%20Within%20the%26nbsp%3BPolicyRule%20xml%20file%2C%20Device%20control%20will%20apply%20the%20first%20Entry%20matching%20condition.%20For%20example%2C%20if%20the%20first%20Entry%20is%20Allow%20Read%2C%20and%20the%20second%20Entry%20is%20Block%20Read%2C%20Read%20a%20USB%20will%20be%20Allowed.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIf%20a%20user%20is%20in%20multiple%20AD%20groups%2C%20which%20policy%20applies%3F%20-%26gt%3B%20Same%20as%20%232%2C%20Device%20control%20will%20apply%20the%20first%20Entry%20meeting%20condition.%20For%20example%2C%20if%20a%20user%20is%20under%20AD_Sid_group_A%20and%20AD_Sid_group_B%2C%20and%20for%20a%20CD%2FDVD%20PolcyRule%2C%20the%20first%20Entry%20is%20Block%20AD_Sid_group_D%20Write%20access%2C%20Block%20AD_Sid_group_A%20Execute%20access%2C%20Allow%20AD_Sid_group_B%20Write%20access.%20Since%20the%20user%20is%20under%26nbsp%3BAD_Sid_group_A%20and%26nbsp%3BAD_Sid_group_B%20but%20not%26nbsp%3BAD_Sid_group_D%2C%20Write%20access%20will%20be%20Allowed%20and%20Execute%20will%20be%20Blocked.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFeel%20free%20to%20contact%20me%20if%20you%20still%20have%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2739388%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2739388%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20generate%20any%20notification%20of%20any%20sort%20when%20the%20block%20action%20is%20executed%20e.g.%20toast%20system%20generated%20toast%20notification.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2741495%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2741495%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453686%22%20target%3D%22_blank%22%3E%40Olamidefountview%3C%2FA%3E%2C%20yes%2C%20it%20is%20more%20secure%20this%20way%2C%20no%20matter%20it%20is%20system%20or%20enduser%20trying%20to%20Write%20to%20a%20USB%20or%20execute%20a%20file%20on%20USB%2C%20we%20should%20enforce%20the%20policy%20and%20capture%20the%20event.%20Let%20me%20know%20if%20you%20have%20exception%20use%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2754867%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2754867%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Efirst%20of%20all%20thanks%20for%20this%20activity%20and%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20related%20to%20this%20functionality%20-%20in%20reality%20I%20am%20completely%20lost%20because%20lack%20of%20clear%20information%20from%20MS%20side.%20Let%20me%20describe%20the%20testing%20enviornment%3A%3C%2FP%3E%3CP%3E-%201%20computer%20in%20workgroup%20(no%20AD)%20enrolled%20to%20Defender%20for%20Endpoint%20(no%20E5%20license%20just%20Defender%20for%20Endpoint%20product%20license%20only)%3C%2FP%3E%3CP%3E-%20local%20GPO%20-%26gt%3B%20gpedit.msc%20where%20I%20have%20inbuild%20policies%20for%20setting%20path%20to%20XML%20(Group%20and%20Policy)%3C%2FP%3E%3CP%3E-%20W10%20with%20recent%20OS%20platform%20update%20and%20Defender%20with%202.18.2108%20updates%3C%2FP%3E%3CP%3E-%20I%20took%20your%20example%20files%20and%20configured%20one%20Group%20XML%20file%20and%20one%20policy%20file%20%3D%26gt%3B%20target%20goal%20now%20is%20to%20block%20every%20removable%20device%20for%20all%20users%20on%20computer%3C%2FP%3E%3CP%3E-%20I%20put%20the%20LOCAL%20path%20(e.g.%20c%3A%5Cdata%5Cdefender%5Cblah%20bla%5C%20)%20into%20local%20GPO%20policy%20%3D%26gt%3B%20saved%20policy%2C%20in%20cmd%20gpupdate%20%2Fforce%20(with%20elevated%20rights)%20and%20...%20nothing%20happen%20I%20can%20connect%20USB%20removable%20drives%20w%2Fo%20any%20problems%3C%2FP%3E%3CP%3E-%20I%20put%20the%20same%20as%20in%20previous%20point%20but%20with%20direct%20path%20to%20the%20XML%20files%20%3D%26gt%3Bwith%20the%20same%20results%3C%2FP%3E%3CP%3E-%20I%20tried%20to%20the%20both%20use%20cases%20after%20reboot%20%3D%26gt%3B%20the%20same%20result%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20Group%20XML%20file%3C%2FP%3E%3CP%3E%3CGROUP%20id%3D%22%26quot%3B%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D%26quot%3B%22%3E%3CBR%20%2F%3E%3C!--%20.%2FVendor%2FMSFT%2FDefender%2FConfiguration%2FDeviceControl%2FPolicyGroups%2F%257b9b28fae8-72f7-4267-a1a5-685f747a7146%257d%2FGroupData%20--%3E%3CBR%20%2F%3E%3CMATCHTYPE%3EMatchAny%3C%2FMATCHTYPE%3E%3CBR%20%2F%3E%3CDESCRIPTORIDLIST%3E%3CBR%20%2F%3E%3CPRIMARYID%3ERemovableMediaDevices%3C%2FPRIMARYID%3E%3CBR%20%2F%3E%3CPRIMARYID%3ECdRomDevices%3C%2FPRIMARYID%3E%3CBR%20%2F%3E%3CPRIMARYID%3EWpdDevices%3C%2FPRIMARYID%3E%3CBR%20%2F%3E%3C%2FDESCRIPTORIDLIST%3E%3CBR%20%2F%3E%3C%2FGROUP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20policy%20file%3A%3C%2FP%3E%3CP%3E%3CPOLICYRULE%20id%3D%22%26quot%3B%7Bd2193a7f-ceec-4729-a72a-fe949639db55%7D%26quot%3B%22%3E%3CBR%20%2F%3E%3CNAME%3EBlock%20removable%20storage%20and%20CdRom%3C%2FNAME%3E%3CBR%20%2F%3E%3CINCLUDEDIDLIST%3E%3CBR%20%2F%3E%3CGROUPID%3E%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D%3C%2FGROUPID%3E%3CBR%20%2F%3E%3C%2FINCLUDEDIDLIST%3E%3CBR%20%2F%3E%3CEXCLUDEDIDLIST%3E%3C%2FEXCLUDEDIDLIST%3E%3CBR%20%2F%3E%3CENTRY%20id%3D%22%26quot%3B%7Bc1adfc3e-0347-4096-88c3-6e0777b2a15b%7D%26quot%3B%22%3E%3CBR%20%2F%3E%3CTYPE%3EDeny%3C%2FTYPE%3E%3CBR%20%2F%3E%3COPTIONS%3E0%3C%2FOPTIONS%3E%3CBR%20%2F%3E%3CACCESSMASK%3E7%3C%2FACCESSMASK%3E%3CBR%20%2F%3E%3C%2FENTRY%3E%3CBR%20%2F%3E%3CENTRY%20id%3D%22%26quot%3B%7Bfee5f127-951b-4ece-9196-fa1c9ff21678%7D%26quot%3B%22%3E%3CBR%20%2F%3E%3CTYPE%3EAuditDenied%3C%2FTYPE%3E%3CBR%20%2F%3E%3COPTIONS%3E3%3C%2FOPTIONS%3E%3CBR%20%2F%3E%3CACCESSMASK%3E6%3C%2FACCESSMASK%3E%3CBR%20%2F%3E%3C%2FENTRY%3E%3CBR%20%2F%3E%3CENTRY%20id%3D%22%26quot%3B%7Bad04437c-e279-41a3-8a1a-b76b7e35bce5%7D%26quot%3B%22%3E%3CBR%20%2F%3E%3CTYPE%3EAuditDenied%3C%2FTYPE%3E%3CBR%20%2F%3E%3COPTIONS%3E1%3C%2FOPTIONS%3E%3CBR%20%2F%3E%3CACCESSMASK%3E1%3C%2FACCESSMASK%3E%3CBR%20%2F%3E%3C%2FENTRY%3E%3CBR%20%2F%3E%3C%2FPOLICYRULE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20help%20me%20what's%20wrong%3F%20Those%20XML%20files%20are%20fully%20working%20to%20my%20colleagues%20but%20with%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3Emarek%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2757022%22%20slang%3D%22en-US%22%3ERe%3A%20Protect%20your%20removable%20storage%20and%20printers%20with%20Microsoft%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2757022%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1157473%22%20target%3D%22_blank%22%3E%40Marek_Dvorak_%3C%2FA%3E%26nbsp%3BJust%20as%20a%20heads-up%2C%20your%20post%20was%20not%20lost%2C%20but%20you%20would%20have%20received%20a%20notification%20upon%20posting%20that%20it%20was%20put%20in%20the%20approval%20queue%20(an%20automated%20spam%20quarantine)%2C%20which%20we%20check%20manually%20on%20a%20daily%20basis%20and%20have%20since%20approved%20your%20posts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20if%20you%20missed%20that%20notification.%20I%20am%20happy%20to%20remove%20one%20of%20these%20posts%20if%20you%20like%2C%20but%20I%20wasn't%20sure%20if%20they%20were%20entirely%20duplicative%20or%20not.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 26 2021 09:10 AM
Updated by: