MDE Device Control – Leveraging Reusable Settings in Intune

Introduction

Hello everybody! We are Jorge Miguel Ferreira and Sebastian Werner and we're consultants at Microsoft. This blog post will show you set up Microsoft for Endpoint (MDE) Device Control Removable Access Control (LINK Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media).

There are many ways of configuring this feature, such as GPOs, custom OMA-URIs and Intune, specifically using the new reusable settings feature in the Reduction (ASR) rules. This blog post will focus on the new ASR rules in Intune.

Note: this is not about controlling device installation (that is covered in this LINK: Microsoft Defender for Endpoint Device Control Device Installation). In this blog, we'll only cover removable access control.

We will cover some common scenarios, such as:

  1. Scenario 1 – Blocking write access to all removable for all users with exceptions for specific removable storage
  2. Scenario 2 – Blocking write access to all removable storage for specific users groups on specific machine groups (e.g. specialized hardware)
  3. Scenario 3 – Block read and write access to specific devices
  4. Scenario 4 – Block CD/DVDs

Prerequisites

As of July 2023, for this to work, you will need to have access to a machine where the following conditions are met:

General information

In MDE, we can match devices against various identifiers. This allows for both either very broad targeting, when using PrimaryId (RemovableMediaDevices, CdRomDevices, WpdDevices or PrinterDevices) or granular targeting when using IDs like DeviceId. 

You can find a list of supported IDs to match here: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media

We will use a number of these IDs in the following examples. Now let's deep dive in our scenarios:

Scenario 1 – Blocking write access to all removable storage for all users with exceptions for specific removable storage

For this scenario, the first thing we need is to create multiple reusable settings to match both all removable storage devices as well as the specific devices for the exceptions.

Start by navigating to the ASR section in Endpoint Security in Intune. From here, create the first reusable settings that will match All Removable Storage [RemovableMediaDevices]: 

Jorge_Miguel_Ferreira_0-1692631033611.png
Jorge_Miguel_Ferreira_1-1692631033613.png
Jorge_Miguel_Ferreira_2-1692631033615.png
Jorge_Miguel_Ferreira_3-1692631033619.png
Jorge_Miguel_Ferreira_4-1692631033621.png

Now we will create a second Reusable Setting that will match our test USB pen, that has the following FriendlyNameId: USB DISK 2.0 USB Device.

Note that you can filter by many different properties and you need to identify which is the most correct for your scenario.

Jorge_Miguel_Ferreira_5-1692631353717.png

After creating both Reusable Settings we will have the following:

Jorge_Miguel_Ferreira_6-1692631353719.png

Once the reusable settings are set up, we can start creating the ASR policy. Create a new ASR policy for Device Control and give it a name.

Jorge_Miguel_Ferreira_7-1692631353721.png
Jorge_Miguel_Ferreira_8-1692631353723.png

Scroll all the way to the bottom of the configuration, this is where you can apply the reusable settings you previously created. You can choose to either include or exclude based on the reusable settings. To block all removable storage and exclude specific devices, set up a policy like this:

Jorge_Miguel_Ferreira_9-1692631353725.png

Click on the option below Included ID and select the reusable setting that covers all the Removable Storage – in our case All Removable Storage.

Jorge_Miguel_Ferreira_10-1692631353729.png

Click on the option below Excluded ID and select the reusable setting of the Removable Storage you want to exclude – in our case EMTEC USB drive.

Jorge_Miguel_Ferreira_11-1692631353734.png

Click on the option + Edit Entry and fill it like in the picture below

Jorge_Miguel_Ferreira_12-1692631353736.png

We continued the configuration of the policy, applying it to a machine group that contains our test Windows 10 device.

Result of Scenario 1

With the policy we created, we only allow to write data to the EMTEC USB drive.  

Jorge_Miguel_Ferreira_13-1692631353743.png

Any other device with a different FriendlyNameId will not be allowed to write data to it.

Jorge_Miguel_Ferreira_14-1692631353752.png

Scenario 2 – Blocking write access to all removable storage for specific user groups on specific machine groups (e.g. specialized hardware)

Just like in scenario 1, start by creating a reusable settings to match all removable storage devices (in our case we added in the Included ID  the reusable setting All Removable Storage).

Jorge_Miguel_Ferreira_15-1692631607723.png

For this scenario we don't want to exclude anything so nothing is configured in the Excluded ID.

When applying the reusable setting in the ASR, notice the field Sid and Computer Sid you can set per entry. When you do not set this, the setting will apply to all users and all devices that are in scope for the ASR policy. Using the two SID fields allows you to filter the assignment to specific users, groups and/or devices. Even though it says SID, you can either use the SID of an AD object or alternatively the object ID of an object. 

You can get the object ID for any user, group or device by navigating to the AAD portal, search for the user/group/device you want to include in the policy and grab the object ID from the details view of the object.

For our example we got the Sid of a specific user and we denied Write Permissions and allowed Read and Execute (for that specific user).

Jorge_Miguel_Ferreira_16-1692631607726.png

We continued the configuration of the policy applying it to a machine group that contains our test Windows 10 device.

Result of Scenario 2

With this policy, the user configured in the Sid option (in this case Debra Berger) on the test Windows 10 device cannot write to any Removable Storage. Other users on the same device are unaffected.

Jorge_Miguel_Ferreira_17-1692631607734.png

Scenario 3 – Block read and write access to specific devices

For this scenario, we can reuse the USB thumb drive reusable setting from scenario 1, we only need to change the ASR rule to block read, write, and execute for this specific removable storage.

Jorge_Miguel_Ferreira_18-1692631756194.png
Jorge_Miguel_Ferreira_19-1692631756197.png

Result of Scenario 3

With this policy, no user can read/write to the EMTEC USB drive on the test Windows device. All other Removable storage devices would work just fine.

Jorge_Miguel_Ferreira_20-1692631756201.png

Scenario 4 – Block access to CD/DVDs

For this scenario, the first thing we need is to create reusable settings to match the CdRomDevices.

Jorge_Miguel_Ferreira_21-1692631810256.png

Then create an ASR rule to block read, write, and execute for the CD/DVD Devices reusable setting. In the entry we have the following:

Jorge_Miguel_Ferreira_22-1692631810258.png

Apply it to the devices in scope for the test (in our test all devices).

Result of Scenario 4

With this policy, no user can access CD/DVD devices (including ISO files mounted in Windows Explorer).

Jorge_Miguel_Ferreira_23-1692631810261.png

Jorge_Miguel_Ferreira_24-1692631810267.png

Troubleshooting information 

To figure out if the newest version of your policy has been installed/applied on the device, there's one registry key that can help in :

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ 

In this registry key there are 2 REG_SZ that contain the PolicyGroups and PolicyRules applied. 

Those entries hold the effective groups configuration that applies to the device. The second REG_SZ stores the effective policy for removable storage access control. Both keys hold the configuration in XML format. If you export the key you'll get the following:

Windows Registry Editor Version 5.00 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] 
"PolicyGroups"="



Conclusion

As seen in the examples above it's simple to configure now Device Control policies via Intune with this new option. And the possibilities are very extensive.

Additional references

 

This article was originally published by Microsoft's Secure Blog. You can find the original article here.