Windows IoT Enterprise gives you the power as the administrator of your devices to set certain policies to protect your IoT devices. Whether that be against device tampering, malware infections, data loss, or preventing peripherals from gaining access to your device, Windows IoT Enterprise gives you the power to create a customized experience that safeguards against these threats.
In a Windows IoT device restrictions profile, most configurable settings are deployed at the device level using device groups.
The following guide reviews the various policies that can be configured to create a safe and secure device usage experience.
Device Installation - Group Policy
If your organization manages devices through group policy, we recommend you follow this Step-By-Step Guide.
Control removable media using Microsoft Defender for Endpoint
Microsoft recommends a layered approach to securing removable media, and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting. Identify or investigate suspicious usage activity.
Configure to allow or block only certain removable devices and prevent threats.
Allow or block removable devices based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs.
Prevent threats from removable storage introduced by removable storage devices by enabling:
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
Create customized alerts and response actions to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with custom detection rules.
Respond to threats from peripherals in real-time based on properties reported by each peripheral.
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable disks. Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
Device Installation Settings - MDM
If your organization manages devices through mobile device management, we recommend you review the following device installation policies:
- Allow Installation Of Matching Device IDs
- Allow Installation Of Matching Device Instance IDs
- Allow Installation Of Matching Device Setup Classes
- Prevent Device Metadata From Network
- Prevent Installation Of Devices Not Described By Other Policy Settings
- Prevent Installation Of Matching Device IDs
- Prevent Installation Of Matching Device Instance IDs
- Prevent Installation Of Matching Device Setup Classes
Look up device ID
You can use Device Manager to look up a device ID.
- Open Device Manager.
- Click View and select Devices by connection.
- From the tree, right-click the device and select Properties.
- In the dialog box for the selected device, click the Details tab.
- Click the Property drop-down list and select Hardware Ids.
- Right-click the top ID value and select Copy.
For information about Device ID formats, see Standard USB Identifiers.
For information on vendor IDs, see USB members.
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
PowerShell Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property *