In my organization we want to block all the USB Ports and want to allow only Digital Signature Certificate (DSC Pendrives), How can we achive it.

Vamsi Chavali 105 Reputation points
2023-10-12T06:51:14.94+00:00

In my organization we want to block all the USB Ports and want to allow only Digital Signature Certificate (DSC Pendrives), How can we achive it.

Windows for business | Windows Client for IT Pros | Devices and deployment | Set up, install, or upgrade
Microsoft Security | Intune | Other
0 comments No comments
{count} vote

Accepted answer
  1. Ali AlEnezi 1,081 Reputation points
    2023-10-12T06:58:51.1466667+00:00

    Certainly, Vamsi Chavali.

    To achieve your requirement using Microsoft Intune, follow the steps below:

    Device Identification:

    • Firstly, to specifically allow DSC pendrives, you need to know their unique identifier, the "Device Hardware ID."
    • Connect the DSC pendrive to a computer. Open the Device Manager.
    • Find the USB device in the list, right-click it, select 'Properties'.
    • In the 'Details' tab, pick 'Hardware Ids' from the dropdown. Make a note of these values.

    Configure Intune to Block USBs:

    • Sign in to the Microsoft Endpoint Manager admin center.
    • Navigate to 'Devices' > 'Configuration profiles' > '+ Create profile'.
    • For the Platform, select 'Windows 10 and later'.
    • For Profile, opt for 'Templates' and then 'Endpoint protection'.
    • Click 'Create'.
    • Name your profile and optionally provide a description.
    • In 'Settings', navigate to 'Microsoft Defender Exploit Guard' > 'Attack Surface Reduction (ASR)' > 'Block all removable storage devices unless specifically allowed'. Set this rule to 'Block'.

    Whitelist DSC Pendrives:

    • In the same 'Endpoint protection' profile, look for the 'BitLocker' section.
    • Navigate to 'Allow direct memory access (DMA) devices when the device is locked' > 'Allow DMA devices to have direct memory access when the computer is locked'.
    • Here, add the Hardware Ids of the DSC pendrives that you previously noted down. This action will ensure that only the whitelisted DSC pendrives are allowed, while other USB devices remain blocked.

    Deploy the Profile:

    • After your profile is set up, it's time to assign it.
    • Under 'Assignments', hit 'Select groups to include' and pick the relevant user or device groups to which you wish to enforce this profile.

    Evaluation & Testing:

    • With the settings in place, initiate a pilot test on a subset of devices to confirm that only the DSC pendrives are permitted and all other USB devices are effectively blocked.

    Vamsi, your emphasis on safe testing is spot-on. It's crucial to test any new policy in a controlled environment first. This will help in spotting any unforeseen issues and ensuring the smooth operation of devices in the organization. Microsoft's Intune configurations can evolve, so it's always a good practice to stay updated with official documentation and any changes in the platform.

    All the best,

    Ali

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Simon Ren-MSFT 40,346 Reputation points Microsoft External Staff
    2023-10-12T08:47:55.77+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    1,You can try Administrative Templates profile. The path is Windows 10 and later > Templates > Administrative Templates profile > System > "All Removable Storage classes: Deny all access "

    removable 1

    removable 2

    2,You can also try Endpoint Security > Attack Surface Reduction > Create Policy. Choose Platform: Windows 10 and later with Profile: Device Control. For more detailed steps, refer to the official article:

    Prevent Write and Execute access to all but allow specific approved USBs

    attack surface reduction

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.