Deploy and manage Removable Storage Access Control using group policy

Applies to:

Note

The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint.

The Removable Storage Access Control feature enables you to apply a policy by using group policy to either user or device, or both.

Device Control Removable Storage Access Control policies

You can use the following properties to create a removable storage group.

Note

Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control through group policy, you must have Microsoft 365 E5.

Deploy using group policy

  1. Enable or Disable Removable Storage Access Control:

    You can enable or disable Device control as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control.
    • In the Device Control window, select Enabled.

    Screenshot of Enabling RSAC using Group Policy

Note

If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples.

  1. Set Default Enforcement:

    You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

    For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement

    • In the Select Device Control Default Enforcement pane, select Default Deny:

    Screenshot of setting Default Enforcement = Deny using Group Policy

  2. Create one XML file for removable storage group(s):

    Use the properties in removable storage group to create an XML file for the Removable storage group(s), save the XML file to network share, and define the setting as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.

    Screenshot of Define device control policy groups

    • In the Define device control policy groups window, specify the network share file path containing the XML groups data.

    Take a look at the Overview > Removable storage group. You can create different group types. Here's one group example XML file for any removable storage and CDROM and Windows portable devices and approved USBs group: XML file

Note

Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  1. Create one XML file for access policy rule(s):

    Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule, save the XML file to network share, and deliver the setting as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.

      Screenshot of define device control policy rules

    • In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Take a look at the Overview -> Access policy rule, you can use Parameters to set condition for specific Entry. Here's one example XML file.

Note

Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  1. Set location for a copy of the file (evidence):

    If you want to have a copy of the file (evidence) when Write access happens, set right Options in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define Device Control evidence data remote location.

    • In the Define Device Control evidence data remote location pane, select Enabled, and then specify the local or network share folder path.

      Screenshot of Define Device Control evidence data remote location.

Scenarios

Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

For this scenario, you need to create two groups - one group for any removable storage and another group for approved USBs. You also need to create two policies - one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

  1. Create groups

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

    A screenshot of removable storage

    1. Group 2: Approved USBs based on device properties.

    A screenshot of approved USBs

    Combine these two groups into one XML file. See step 3 from the Deploy using group policy section to deploy this configuration.

    Tip

    Replace & with &amp; in the value.

  2. Create policy

    1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.

    A screenshot of block write and execute access

    1. Policy 2: Audit Write and Execute access for allowed USBs.

    A screenshot of audit write and execute access

    What does '54' mean in the policy? It's 18 + 36 = 54:

    • Write access: disk level 2 + file system level 16 = 18.
    • Execute: disk level 4 + file system level 32 = 36.

    Combine these two policy rules into one XML file. See step 4 from the Deploy using group policy section to deploy this configuration.

Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

For this scenario, you need to create two groups - one group for any removable storage and another group for blocked USBs. You also need to create two policies - one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.

  1. Create groups

    1. Group 1: Any removable storage, CD/DVD, and windows portable devices.

    A screenshot of removable storage in groups

    1. Group 2: Blocked USBs based on device properties.

    A screenshot of blocked USBs

    Combine these two groups into one XML file. See step 3 from the Deploy using group policy section to deploy this configuration.

    Tip

    Replace & with &amp; in the value.

  2. Create policy

    1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.

    A screenshot of specific unapproved USBs

    1. Policy 2: Audit Write and Execute access for others.

    A screenshot of audit write and execute access in group policy

    What does '54' mean in the policy? It's 18 + 36 = 54:

    • Write access: disk level 2 + file system level 16 = 18.
    • Execute: disk level 4 + file system level 32 = 36.

    Combine these two policy rules into one XML file. See step 4 from the Deploy using group policy section to deploy this configuration.

Scenario 3: Block read and execute access to specific file extension

For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy - deny read and execute access to any file under the allowed file extension group for defined removable storage group.

  1. Create groups

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

    2. Group 2: Unallowed file extensions.

    Combine these two groups into one XML file. See step 3 from the Deploy using group policy section to deploy this configuration.

    Tip

    Explicily mark the Type attribute on the group as File

    1. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group.

      image

    What does '40' mean in the policy? It's 8 + 32 = 40:

    • only need to restrict file system level access

    Although this case only has one policy, make sure put it under PolicyRules one XML file. See step 4 from the Deploy using group policy section to deploy this configuration.