Protect your removable storage and printers with Microsoft Defender for Endpoint

Hi there, the example that is provided for the device control via group policy has multiple ‘policy rule IDs’. Which looks good for multiple ‘whitelist’ permission AD groups (Sids). E.g.  USB group 1, USB group 2, camera users, CDwriter etc. Can this be achieved in OMA-URI? As it looks like each ‘policy rule ID’ needs a separate OMA-URI profile, as each ‘policy rule ID’ makes up part of the OMA-URI line in the setup in Intune. In which case, what is the precedence mechanic? If a user is in multiple AD groups, which policy applies? E.g. a USB and CDwriter user. And what is the precedence for conflicts for the group policy XML? First ‘policy rule ID’ in the xml wins for example?

Cheers! Paul

@Apemantus , to your questions:

1. Can this be achieved in OMA-URI? -> via OMA-URI, you do not need to combine those all groups into one Groups xml or one PolicyRules xml. one OMA-URI one Group xml or one PolicyRule xml.
2. what is the precedence mechanic? -> First, you should not have multiple policy rules for same the same USB for same user. If you have, you should combine those policy rules into one PolicyRule xml. Within the PolicyRule xml file, Device control will apply the first Entry matching condition. For example, if the first Entry is Allow Read, and the second Entry is Block Read, Read a USB will be Allowed.
3. If a user is in multiple AD groups, which policy applies? -> Same as #2, Device control will apply the first Entry meeting condition. For example, if a user is under AD_Sid_group_A and AD_Sid_group_B, and for a CD/DVD PolcyRule, the first Entry is Block AD_Sid_group_D Write access, Block AD_Sid_group_A Execute access, Allow AD_Sid_group_B Write access. Since the user is under AD_Sid_group_A and AD_Sid_group_B but not AD_Sid_group_D, Write access will be Allowed and Execute will be Blocked.

Feel free to contact me if you still have question.

Hi 

Does this generate any notification of any sort when the block action is executed e.g. toast system generated toast notification.

@Olamidefountview, yes, it is more secure this way, no matter it is system or enduser trying to Write to a USB or execute a file on USB, we should enforce the policy and capture the event. Let me know if you have exception use case.

Hello,

my previous post is lost somewhere in space so let me post it again.

First of all thank you for this functionality to block printers and removable mass storage with reporting to cloud console (advanced hunting).

Now my question and problem with implementing it:

- I have followed procedure on this page and also on MS DOC and GIT

- I have two xml files -> first for all removable mass storage as a Group and second with prohibit access policy (see below for both files)

- I have onboarded Windows 10 computer (20H2) with 4.18.2107 antimalware build as a workstation (no AD)

- I used gpedit.msc to use local GPO and located both parameters to set Group and Policy for device control

- I have both file located on local drive (e.g. C:\data\defender\usbblock\) and I put this path into both policies

- then from elevated CMD gpupdate /force

- the result is that I am still able to use USB mass storage

- I have changed in the GPO the path directly to file name and still the same => no blocking for USB mass storage

Group XML file:

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData -->
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>

Policy file:

<PolicyRule Id="{d2193a7f-ceec-4729-a72a-fe949639db55}">
<Name>Block removable storage and CdRom</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList></ExcludedIdList>
<Entry Id="{c1adfc3e-0347-4096-88c3-6e0777b2a15b}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>7</AccessMask>
</Entry>
<Entry Id="{fee5f127-951b-4ece-9196-fa1c9ff21678}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>6</AccessMask>
</Entry>
<Entry Id="{ad04437c-e279-41a3-8a1a-b76b7e35bce5}">
<Type>AuditDenied</Type>
<Options>1</Options>
<AccessMask>1</AccessMask>
</Entry>
</PolicyRule>

Can you help mi to solve the problem why it is not working to me?

Thank you

marek

@Marek_Dvorak_ Just as a heads-up, your post was not lost, but you would have received a notification upon posting that it was put in the approval queue (an automated spam quarantine), which we check manually on a daily basis and have since approved your posts.

Sorry if you missed that notification. I am happy to remove one of these posts if you like, but I wasn't sure if they were entirely duplicative or not. 

Gi @Eric Starker thank you for information. Both posts are tight together and you can keep the second one, please.

Thank you

Marek

Sure thing! I've removed the first one.

@Marek_Dvorak_ 

Please update if you happen to solve your problem.  I am testing through a similar scenario with local policy and just can't seem to get this to work at all.

Onboarded into Defender for Endpoint

20H2

4.18.2108.7

group and policy XMLs on local drive

@Marek_Dvorak_,  thanks for trying the feature. I see two errors on the XML file:

1. since you are using Group Policy to deploy/manage the policy, you have to put Group into Groups and PolicyRule into PolicyRules:

 - "If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file."

if you are using Intune OMA-URI, then you do not need to put into <PolicyRules> and <Groups >

2. in the PolicyRule, I see the Options value is 1 for the AccessMask == 1 (Read), for Read access, 1/notification is meaningless, you should either remove this Entry or set 2 to have event in advanced hunting.

Feel free to take a look at the Q&A section Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m..., it includes most common issues we have heard from customers.

I updated your policy, try and let me know if still not work:

<Groups>
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>
</Groups>

<PolicyRules>
<PolicyRule Id="{d2193a7f-ceec-4729-a72a-fe949639db55}">
<Name>Block removable storage and CdRom</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList />
<Entry Id="{c1adfc3e-0347-4096-88c3-6e0777b2a15b}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>7</AccessMask>
</Entry>
<Entry Id="{fee5f127-951b-4ece-9196-fa1c9ff21678}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>6</AccessMask>
</Entry>
<Entry Id="{ad04437c-e279-41a3-8a1a-b76b7e35bce5}">
<Type>AuditDenied</Type>
<Options>2</Options>
<AccessMask>1</AccessMask>
</Entry>
</PolicyRule>
</PolicyRules>

By the way, we put lots of samples in the GitHub: mdatp-devicecontrol/Removable Storage Access Control Samples at main · microsoft/mdatp-devicecontrol...

Hello, 

Thanks for reply. 

We will give a try again and if needed we will open Premier Support Ticket. 

Thank you

Marek

Hi, @Tewang_Chen ,

after your XML files update it is working now with following comments:

- I used local GPO - gpedit.msc - and when added path into policy values nothing changed

- when I have used direct files names inluding path it start to work

- when I tried to disable and later change policy to "not configured" with empty values - the policy still apply => how to disable policy and remove blocking?

Thank you for further information.

BTW - I know you are mentioning documentation but to be honest it is extremly hard to understand it and it doesn't make sense to me. Probably I need different format of documentation and different description.

Thank you

marek

@Marek_Dvorak_ , are you still having that issue? it is Group Policy push the policy update, this feature is not doing anything in the policy delivery/update. Once the policy is in the regkey, Device Control will do the enforcement. So have you force the policy update, e.g. gpupdate /force?

Hello @Tewang_Chen , the GPO is pushing policy update and the process how to disable this functionality at all was a bit controversal (from reboot to add any word into GPO to disable applying). Nevertheless direct registry edit could work also.

We have moved forward but in overall using XML to configure something over GPO it not good approach.

Thank you

marek

@Marek_Dvorak_ , GPO UX is on our backlog, but it is not high priority based on customer feedback. It would be great if you can reach out our CXE/field and fire this request. We are heavily relying on customer feedback to prioritize our work.

@Tewang_Chen 
The documentation for "Removable storage access control on Windows" is showing a banner saying the GPO functionality is GA.

Is the OMA-URI/CSP functionality also GA already?

Also, do you know if this works with Azure AD Registered devices?

Without Defender, with Microsoft Inofmration Protection you could have USB/Printer control in order to protect Data.

I cannot find any document showing what additional control/s Defender for endpoint could do for DLP?

@Marek_Dvorak_ 
Would it be possible for you to share the specifics of how you disabled the policy?

In testing we've found that to bypass this security the only thing needed is to delete the PolicyGroups and PolicyRules registry keys that point to the .xml, then rebooting. Comically the keys don't even come back from gpupdate /force after doing so, in fact the only way to get them back is to update the group policy to point at a different .xml file so a change is seen.  I understand this is a "newish" feature, but do you have any advice for how to make it so this isn't so trivially bypassed. Even the old school writeprotect methods would at least get set again the next time group policy sync'd, so this seems like a very complex step backwards for organizations that don't outright block all methods of editing the registry.

Thank you for the excellent write up. The documentation references a number of GUIDs, specifically group ID, policy ID and entry ID, but does not identify how to generate/obtain these IDs. Can further guidance be provided in this area? It is unclear if they're arbitrary whereas in ASR they are very specific.

@JamesDawson 
My understanding is that these need to be generated manually, which can be done with the "New-Guid" powershell cmdlet for example.

Maybe somebody else can confirm this too.

(ASR has 16 predefined rules, whereas you need to define your own groups and policies here)

THe Printer control blocks print to PDF functionality. Anyway to resolve this.

@effjaay , not through the existing product, but we are currently working on Printer Protection V2, which will allows you to control through printer name/type/pid,vid/etc., private preview ETA June.

@Jonhed , @JamesDawson , yes, and you can find the answer from here: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m...

@Jonhed , yeah, both OMA-URI/GPO have been GAed for a while.

About AAD-joined machine:

• if you deploy a AAD machine through OMA-URI, the AAD machine will receive the policy, and Defender will do the enforcement.
• The Sid/ComputerSid attribute on the policy currently only works for AD Sid, not AAD value/Object, we are currently closing this gap, the possible ETA is August 2022, this is not customer promise, just internal tracking timeline. But in most cases, you do not need to use this Sid, you can use Intune include and exclude assignments to solve the problem. People usually ask this for: they want to include machines but exclude users, in this case, currently Intune will have error/can not mix machine and users.

Feel free to ping me if you have any questions about policy design.

Recently, I uploaded a new demo deck mdatp-devicecontrol/Removable Storage Access Control Samples/Demo at main · microsoft/mdatp-deviceco..., to explain how people should manage this feature through Intune, it has step by step. This deck is just for Intune management, but you can merge policy for GPO, basic steps are the same.

The solution works great and we started with Scenario 5.

But now we want to extend with an additional PolicyRule for a department which should only have access to certain USB keys. I have created a second set of group and policy rule xmls, but it doesn't work. It seems the global deny rule is stronger and the more specific rule is not applied. Is my assumption correct?

It would be fine to have an order for multiple policies in future (first or last applies).

@Tewang_Chen 

Thanks for the confirmation of GA status.

Could you also clarify if this works on AAD registered devices when you deploy via Intune?

(you mentioned this works with AAD joined devices)

@Florian_Huber I see the same problem as you.  Setting "DefaultEnforcement = 2" blocks everything regardless of it matching an Allow rule.

I would like to see an example from Microsoft that shows how this can used in the following scenario, as I do not think it works as Microsoft have documented:
1. DefaultEnforcement=2 (block by default)

2. AzureAD group XXX have Allow access to device group 1

3. AzureAD group YYY have Allow access to device group 2

From all the testing I've performed, Deny always trumps Allow so its not possible assign different policies to different user groups and block if it doesn't match a policy.  The order of the policies doesn't appear to have an effect, it seems to evaluate all policies in parallel.

The only way I've got it working is with one allowed device group and DefaultEnforcement=1

@JonAbbott 

Regarding DefaultEnforcement=2.

Did you ever try to enable "AuditDenied" for all types of devices to see what was blocked?

I haven't used this setting myself as of yet, but I was considering it for a new customer.

After further testing today, it looks like RSAC doesn't support AzureAD groups, which I believe is why the test policy wasn't working.  This was giving the false impression that Deny trumps Allow as I was only seeing a Deny event logged.

Remove the AzureAD group SID's and the policy works, although the consequence is that RSAC can't be used at a User level with AzureAD without explicitly added every users' SID to the policy - which isn't really realistic with a large user base.

Perhaps Microsoft could confirm this behaviour and revise the documentation to state AzureAD groups are not supported.  I'd also suggest linking or including a PowerShell script to convert an AzureAD GUID to a SID value that RSAC policies require or modifying RSAC to support AzureAD GUID's directly.

Microsoft did update the documentation on 28th April 2022 to clarify the Allow/Deny rule order and the error in the Options entry, which has cleared up some confusion.

@JonAbbott 

@Tewang_Chen posted a reply regarding this in this thread if you check the earlier replies. (see below)

AAD objects are not yet available for SID level policies.

@Jonhed I missed that comment as I performed most of our testing several weeks ago before that post.

One point I would add to @Tewang_Chen's comment is that although AAD User SID are not directly supported, they appear to work as once an AAD user logs in, the AAD SID is created locally.

In summary, RSAC in its current state isn't ready for use in a cloud-first environment -  unless you can get away with the policy being applied to "All users"

Another observation I should mention from testing.  When using HardwareID to identify devices, RSAC appears to only check the first Hardware ID in the list.  This invariably means wildcards need to be used when HardwareID is used as the first ID in the list is quite often a hardware revision specific entry.

Dear colleagues,

I could solve my issue with the printer protection policy profile into intune because I used a wrong syntax from the Microsoft documentation:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection?view=o3...

I figured out that the Microsoft documentation about the printer protection had some issues.

Microsoft have forgotten to add an slash / into the <enabled> tag. So I have copied and paste following wrong property example:

<enabled><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>

With that wrong <enabled> tag, I got an Error on Intune.

The correct one is following: 

<enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>

I have added an slash / at the end of the enabled tag: <enabled/> and the Error was gone away and my printer policy works.

I hope that hint helps you not to run in the same Error that I got as I created this intune policy with the wrong <enabled> tag.

Hey, @Tewang_Chen it will be possible to for example, customize window which is showing when access / etc is blocked? For example, add custom button for FAQ / Rules for organization?

I am looking for something in between Endpoint DLP and Defender for Endpoint for being able to restrict printing of sensitive documents via non-corporate printers.

Endpoint DLP helps me to prevent printing on any printer.

Defender for Endpoint helps me to prevent printing any document on certain printers.

I can't find a solution to prevent sensitive documents from being printed on non-corporate printers but allow them to be printed on corporate ones.

Any ideas?

How does Windows determine if it is a corporate printer? I have network printers added to devices on a domain and they are getting blocked. I am only looking to block non-corporate printers.

After updating the XML, what triggers defender to re-load the XML? Is reboot required? 

Thank you.

@Tewang_Chen you mention "Printer Protection V2, which will allows you to control through printer name/type/pid,vid/etc., private preview ETA June." Is this generally available? With the current version of Printer Protection, it seems to block Universal Print Printers too. Actually it seems it block all printers except for the USB printers defined in ApprovedUsbPrintDevices. The documentation states, "Block people from printing via any non-corporate printer using Intune".  As asked by @bungle77, what is considered a corporate printer and/or how is that defined? @bungle77 were you able to figure this out? I've been struggling with this for months.

Hello, same question as @Alexsemi100

How do we update the XML files on the client "fast"?

A manual Intune device sync does not work, DeviceControlPoliciesLastUpdated stays the same for a long time and it is not transparent how we can update the policies instantly.

It is not acceptable if a policy change is made to wait 1-2 days until it's accepted on the client.

This makes troubleshooting VERY hard.

@Tewang_Chen 

Just following up to know if the Print to PDF protection is now available.

Thanks

@effjaay It has been released. I've been working with MS on this for a few weeks.

Documentation is below. 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection-overvi...

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deploy-and-manage-using-g...

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deploy-and-manage-using-i...

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection-freque...

I configured Device control for removable storage via GPO - used 2 XMLs as described here 

Wondering if there is any place on endpoint (windows 10) to look for logs when removable storage is blocked? Like event log or something. To not using Advanced hunting https://security.microsoft.com/v2/advanced-hunting

I cannot find anywhere information about Bluetooth connected storage blocking (like paring phone and copy files via Bluetooth). Anyone ?

Hi @bbelko,

- event: i believe you are talking about event under event viewer, no, we do not display that. Any reason you can not use AH? you can use the public API consuming the event from AH. ping me if this is a blocker for you. 

- Bluetooth: Integrate Bluetooth into this solution is still a backlog item. We have done feasibility study, but it is not top priority/no customer told us this is a blocker/priority item. Ping me if you think this is important/help build the business case.

Hi @Alexsemi100 / @cashcow2022,

We rely on Group Policy and Intune to push the configuration. Intune side is syncing policy every few mins/i believe it is 15 mins, if you need I can get more accurate number. Reboot is not required for this feature.

Hi all,

We also published a new blog about this feature updates: Microsoft Defender for Endpoint removable storage access control updates.

@Tewang_Chen regarding bluetooth - so generaly what is the best approach to block bluethooth file transfer? I found this https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-servi...

But wondering if there are related GPO settings ? For now we want to stick with GPO configuration if possible

Here is a GPO setting: Configure Attack surface reduction rules description https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-red... but looks like there are no bluetooth related settings there

@bbelko , no, this Bluetooth feature does not support GPO, you have to use SCCM or Intune. And there are some gaps about this feature, e.g. not support user-based. that is the reason I am hoping we can build the business case to integrate Bluetooth support into existing RSAC/Printer protection architecture.