Edit

Device Safeguards

  • Article

Windows IoT Enterprise provides you, the device administrator, certain policies to protect your IoT devices from tampering, malware infections, data loss, or preventing peripherals from gaining access to your device. Windows IoT Enterprise gives you the power to create a customized experience that safeguards against these threats.

In a Windows IoT device restrictions profile, most configurable settings are deployed at the device level using device groups.

The following guide reviews the various policies that can be configured to create a safe and secure device usage experience.

Device Installation - Group Policy

If your organization manages devices through group policy, we recommend you follow this Step-By-Step Guide.

Control removable media using Microsoft Defender for Endpoint

Microsoft recommends a layered approach to securing removable media, and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:

  1. Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting. Identify or investigate suspicious usage activity.

  2. Configure to allow or block only certain removable devices and prevent threats.

    1. Allow or block removable devices based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs.

    2. Prevent threats from removable storage introduced by removable storage devices by enabling:

      • Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
      • The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
      • Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.

  3. Create customized alerts and response actions to monitor usage of removable devices based on these plug and play events. You can also monitor other Microsoft Defender for Endpoint events with custom detection rules.

  4. Respond to threats from peripherals in real-time based on properties reported by each peripheral.

Note

These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable disks. Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.

Device Installation Settings - MDM

If your organization manages devices through mobile device management, we recommend you review the following device installation policies:

Look up device ID

You can use Device Manager to look up a device ID.

  1. Open Device Manager.
  2. Select View and select Devices by connection.
  3. From the tree, right-click the device and select Properties.
  4. In the dialog box for the selected device, select the Details tab.
  5. Select the Property drop-down list and select Hardware Ids.
  6. Right-click the top ID value and select Copy.

For information about Device ID formats, see Standard USB Identifiers.

For information on vendor IDs, see USB members.

Use the following PowerShell script to look up a device vendor ID or product ID (which is part of the device ID).

PowerShell
Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *