Certainly, Vamsi Chavali.
To achieve your requirement using Microsoft Intune, follow the steps below:
Device Identification:
- Firstly, to specifically allow DSC pendrives, you need to know their unique identifier, the "Device Hardware ID."
- Connect the DSC pendrive to a computer. Open the Device Manager.
- Find the USB device in the list, right-click it, select 'Properties'.
- In the 'Details' tab, pick 'Hardware Ids' from the dropdown. Make a note of these values.
Configure Intune to Block USBs:
- Sign in to the Microsoft Endpoint Manager admin center.
- Navigate to 'Devices' > 'Configuration profiles' > '+ Create profile'.
- For the Platform, select 'Windows 10 and later'.
- For Profile, opt for 'Templates' and then 'Endpoint protection'.
- Click 'Create'.
- Name your profile and optionally provide a description.
- In 'Settings', navigate to 'Microsoft Defender Exploit Guard' > 'Attack Surface Reduction (ASR)' > 'Block all removable storage devices unless specifically allowed'. Set this rule to 'Block'.
Whitelist DSC Pendrives:
- In the same 'Endpoint protection' profile, look for the 'BitLocker' section.
- Navigate to 'Allow direct memory access (DMA) devices when the device is locked' > 'Allow DMA devices to have direct memory access when the computer is locked'.
- Here, add the Hardware Ids of the DSC pendrives that you previously noted down. This action will ensure that only the whitelisted DSC pendrives are allowed, while other USB devices remain blocked.
Deploy the Profile:
- After your profile is set up, it's time to assign it.
- Under 'Assignments', hit 'Select groups to include' and pick the relevant user or device groups to which you wish to enforce this profile.
Evaluation & Testing:
- With the settings in place, initiate a pilot test on a subset of devices to confirm that only the DSC pendrives are permitted and all other USB devices are effectively blocked.
Vamsi, your emphasis on safe testing is spot-on. It's crucial to test any new policy in a controlled environment first. This will help in spotting any unforeseen issues and ensuring the smooth operation of devices in the organization. Microsoft's Intune configurations can evolve, so it's always a good practice to stay updated with official documentation and any changes in the platform.
All the best,
Ali