Edit

Deploy and manage Removable Storage Access Control using Intune

  • Article
  • 10 minutes to read

Applies to:

Note

The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint.

The Removable Storage Access Control feature enables you to apply policy by using OMA-URI or by using Intune user interface to either user or device, or both.

Capability Intune OMA-URI Intune user interface
Enable or Disable Device control supported not supported
Set Default Enforcement supported not supported
Create Removable storage group supported supported
Control Disk level access supported supported
Control File level access supported not supported
Set location for a copy of the file supported not supported
File Parameter supported not supported
Network location supported not supported

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.

Permission

For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.

  • Policy and profile Manager role
  • Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles
  • Global administrator

Deploy Removable Storage Access Control by using Intune OMA-URI

Go to the Microsoft Intune admin center (https://endpoint.microsoft.com/) > Devices > Configuration profiles > Create profile > Platform: Windows 10 and later, Profile type: Templates > Custom > Create.

  1. Enable or Disable Device control (Optional):

    • Under Custom, enter the Name and Description and select Next.
    • In the Configuration settings, select Add.
    • In the Add Row pane, specify the following settings:

      • Name as Enable Device Control

      • OMA-URI as ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

      • Data Type as Integer

      • Value as 1

        Disable: 0 Enable: 1

      • Select Save.

    Screenshot of enabling Removable Storage Access Control policy

  2. Set Default Enforcement (Optional):

    You can set the default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

    To block a specific removable storage class but allow specific media, you can use 'IncludedIdList a group through PrimaryId and ExcludedIDList a group through DeviceId/HardwareId/etc.' For more information, see Microsoft Defender for Endpoint Device Control Removable Storage Access Control.

    For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You can set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create an Allow policy for your printer; otherwise, this default enforcement will be applied to printers as well.

    • In the Add Row pane, specify the following settings:

      • Name as Default Deny

      • OMA-URI as ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

      • Data Type as Integer

      • Value as 1 or 2

        DefaultEnforcementAllow = 1 DefaultEnforcementDeny = 2

      • Select Save.

    Screenshot of setting Default Enforcement as Deny

  3. Create one XML file for each group:

    You can create a removable storage group for each group as follows:

    Note

    Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  4. Create one XML file for each access control or policy rule:

    You can create a policy and apply it to related removable storage group as follows:

    • In the Add Row pane, enter:

      • Name as Allow Read Activity

      • OMA-URI as ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData

      • Data Type as String (XML file)

        Screenshot of Allow Read Activity policy

    Note

    Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  5. Set location for a copy of the file (Optional):

    If you want to have a copy of the file (evidence) when Write access happens, set right Options in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.

    • In the Add Row pane, enter:

      • Name as Evidence folder location

      • OMA-URI as ./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation

      • Data Type as String

        Set location for file evidence

Scenarios (default enforcement)

Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

  1. Create groups.

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

      A screenshot showing removable storage

      Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

    2. Group 2: Approved USBs based on device properties.

      A screenshot of approved USBs

    Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

    Tip

    Replace & with &amp; in the value in the XML file.

  2. Create policy

    1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.

      A screenshot of policy 1

      Here's the sample file. See step 4 from the Deploy Removable Storage Access Control section to deploy the configuration.

    2. Policy 2: Audit Write and Execute access for allowed USBs.

      A screenshot of policy 2

    What does 54 mean in the policy? It's 18 + 36 = 54.

    • Write access: disk level 2 + file system level 16 = 18.
    • Execute: disk level 4 + file system level 32 = 36.

    Here's the sample file. See step 4 from the Deploy Removable Storage Access Control section to deploy the configuration.

Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

For this scenario, you need to create two groups: one group for any removable storage and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.

  1. Create groups

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

      A screenshot of group 1

      Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

    2. Group 2: Unapproved USBs based on device properties.

      A screenshot of group 2

    Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

    Tip

    Replace & with &amp; in the value in the XML file.

  2. Create policy

    1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.

      A screenshot of policy for blocking unapproved USBs

      Here's the sample file. See step 4 from the Deploy Removable Storage Access Control section to deploy the configuration.

    2. Policy 2: Audit Write and Execute access for others.

      A screenshot of audit write and execute access

    What does 54 mean in the policy? It's 18 + 36 = 54.

    • Write access: disk level 2 + file system level 16 = 18.
    • Execute: disk level 4 + file system level 32 = 36.

    Here's the sample file. See step 4 from the Deploy Removable Storage Access Control section to deploy the configuration.

Scenario 3: Block read and execute access to specific file extension

For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy: deny read and execute access to any file under the allowed file extension group for defined removable storage group.

  1. Create groups.

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

      A screenshot of group 1

      Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

    2. Group 2: Unallowed file extensions.

      Here's the sample file. See step 3 from the Deploy Removable Storage Access Control section to deploy the configuration.

      Tip

      Explicily mark the Type attribute on the group as File

    3. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group.

      Screenshot of OMA-URI settings.

    What does 40 mean in the policy? It's 8 + 32 = 40.

    • only need to restrict file system level access

    Here's the sample file. See step 4 from the Deploy Removable Storage Access Control section to deploy the configuration.

Deploy Removable Storage Access Control by using Intune user interface

This capability is available in the Microsoft Intune admin center (https://endpoint.microsoft.com/).

Go to Endpoint Security > Attack Surface Reduction > Create Policy. Choose Platform: Windows 10 and later with Profile: Device Control.

Scenarios (USB devices)

Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

  1. To set up the groups you'll need, go to Endpoint Security > Attack Surface Reduction > Reusable settings > Add. For more details, see DescriptorIdList on the Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media.

    1. For group 1, configure any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots:

      Screenshot showing removable device settings.

      Screenshot showing additional removable device settings.

    2. For group 2, choose + Add to create another group for approved USBs, based on device properties, as shown in the following screenshot:

      Screenshot showing additional group for approved USB devices.

  2. To set up your policy, go to Endpoint Security > Attack Surface Reduction > Create Policy.

  3. Choose Platform: Windows 10 and later with Profile: Device Control. Select Device Control: Configured.

    1. Set up Policy 1: Audit Write and Execute access for allowed USBs.

      • Choose + Set reusable settings for Included ID and choose Select, as shown in the following screenshot:

        Screenshot showing auditing settings for policy 1.

      • Choose + Edit Entry for Entry, as shown in the following screenshot:

        Screenshot showing auditing settings being edited.

    2. Set up Policy 2. Choose + Add to create another policy for Block Write and Execute access for any removable storage group.

      • Choose + Set reusable settings for Included ID and choose Select, as shown in the following screenshot:

        Screenshot showing the ID for reusable settings.

      • Choose + Set reusable settings for Excluded ID to exclude authorized USBs, and then choose Select, as shown in the following screenshot:

        Screenshot showing excluded ID settings.

      • Choose + Edit Entry for Entry, as shown in the following screenshot:

        Screenshot showing editing an entry for policy 2.

Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

For this scenario, you need to create two groups: one group for any removable storage, and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group, and the other policy to deny the blocked USBs group.

  1. To create groups, go to Endpoint Security > Attack Surface Reduction > Reusable settings > Add. For more details, see DescriptorIdList on the Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media.

    1. Group 1: Any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots:

      Screenshot showing removable storage example.

      And here's another example:

      Screenshot showing a second example of removable storage.

  2. To create your policy, go to Endpoint Security > Attack Surface Reduction > Create Policy. Choose Platform: Windows 10 and later with Profile: Device Control. Select Device Control: Configured.

    1. Policy 1: Block unauthorized USBs. Choose + Set reusable settings for Included ID and choose Select, as shown in the following screenshot:

      Screenshot showing the included ID for settings.

      Choose + Edit Entry for Entry, as shown in the following screenshot:

      Screenshot showing Entry being edited.

    2. Policy 2: Choose + Add to create another policy for 'Audit Write and Execute access for any removable storage group'. Choose + Set reusable settings for Included ID, and then choose Select, as shown in the following screenshot:

      Screenshot showing reusable settings.

      Choose + Set reusable settings for Excluded ID to exclude authorized USBs, and then choose Select, as shown in the following screenshot:

      Screenshot showing excluded ID in reusable settings.

      Choose + Edit Entry for Entry, as shown in the following screenshot:

      Screenshot showing edit mode for an entry.