Microsoft Defender for Endpoint Device Control Removable Storage Access Control

Applies to:

Note

The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint.

Overview

Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage with or without exclusions.

Privilege Permission
Access Read, Write, Execute
Action Mode Audit, Allow, Prevent
CSP Support Yes
GPO Support Yes
User-based Support Yes
Machine-based Support Yes

Prepare your endpoints

Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version 4.18.2103.3 or later.

  • 4.18.2104 or later: Add SerialNumberId, VID_PID, filepath-based GPO support, and ComputerSid

  • 4.18.2105 or later: Add Wildcard support for HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support

  • 4.18.2107 or later: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add AccountName into advanced hunting

  • 4.18.2205 or later: Expand the default enforcement to Printer. If you set it to Deny, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer

  • 4.18.2207 or later: Add File support, the common use case can be: block people from Read/Write/Execute access specific file on removable storage; add Network and VPN Connection support, the common use case can be: block people from access removable storage when the machine isn't connecting corporate network.

Screenshot of the PowerShell interface

Note

None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.

Device Control Removable Storage Access Control properties

The Removable Storage Access Control includes Removable storage group creation and access policy rule creation:

  • Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group.
  • Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.
  • To block a specific removable storage class but allow specific media, you can use IncludedIdList a group through PrimaryId and ExcludedIDList a group through DeviceId/HardwareId/etc. For more information, see Deploy Removable Storage Access Control by using Intune OMA-URI.

Here are the properties you can use when you create the group and policy XML files.

Group

Group includes following types:

  • Device: if there's an explicit type setting, this setting is the default, including removable storage and Printer.
  • Network
  • VPN Connection

The following table lists the properties you can use in Group:

Property Name Description Options
GroupId GUID, a unique ID, represents the group and will be used in the policy. You can generate ID through [PowerShell[(/powershell/module/microsoft.powershell.utility/new-guid)
Type The type of the group. File

Device

Note: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File".

DescriptorIdList List the device properties you want to use to cover in the group. All properties are case sensitive. PrimaryId: The Primary ID includes RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices.

InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. It's the Device instance path in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*.

DeviceId: To transform Device instance path to Device ID format, see Standard USB Identifiers, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07

HardwareId: A string that identifies the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk___8.07. It's Hardware Ids in the Device Manager.
Note: Hardware ID isn't unique; different devices might share the same value.

FriendlyNameId: It's a string attached to the device, for example, Generic Flash Disk USB Device. It's the Friendly name in the Device Manager.

BusId: For example, USB, SCSI

SerialNumberId: You can find SerialNumberId from Device instance path in the Device Manager, for example, 03003324080520232521 is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0

VID_PID: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform Device instance path to Vendor ID and Product ID format, see Standard USB Identifiers. For example:
0751_55E0: match this exact VID/PID pair
_55E0: match any media with PID=55E0
0751_: match any media with VID=0751

NameId: The name of the Network or VPN Connection, support wildcard and only applicable for Network type or VPN Connection type Group.

NetworkCategoryId: only applicable for Network type Group and includes Public, Private, DomainAuthenticated.

NetworkDomainId: only applicable for Network type Group and includes NonDomain, Domain, DomainAuthenticated.

VPNConnectionStatusId: only applicable for VPN Connection type Group and includes Connected, Disconnected.

VPNServerAddressId: string, value of VPNServerAddress, support wildcard and only applicable for VPN Connection type Group.

VPNDnsSuffixId: string, value of VPNDnsSuffix, support wildcard and only applicable for VPN Connection type Group.

PathId: string, value of file path or name, support wildcard and only applicable for File type Group.

Note: See How do I find the media property in the Device Manager? to understand how to find the property in Device Manager.

MatchType When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. MatchAll: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.

MatchAny: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value.

MatchExcludeAll: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.

MatchExcludeAny: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.

Access policy rule

Every access policy rule called PolicyRule can be used to define access restriction for each group through multiple Entry.

The following table lists the properties you can use in PolicyRule:

Property Name Description Options
PolicyRule Id GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. You can generate ID through PowerShell
Name String, the name of the policy and will display on the toast based on the policy setting.
IncludedIdList The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. The Group ID/GUID must be used at this instance.

The following example shows the usage of GroupID:

<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>

ExcludedIDList The group(s) that the policy won't be applied to. The Group ID/GUID must be used at this instance.
Entry One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. See Entry properties table below to get details.

The following table lists the properties you can use in Entry:

Property Name Description Options
Entry Id GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting. You can generate ID through PowerShell
Type Defines the action for the removable storage groups in IncludedIDList.

Enforcement: Allow or Deny

Audit: AuditAllowed or AuditDenied

Allow

Deny

AuditAllowed: Defines notification and event when access is allowed

AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry.

When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is Allow and Deny.

Sid Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.
ComputerSid Local computer Sid or computer Sid group or the Sid of the AD object or the Object Id of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry.
Options Defines whether to display notification or not When Type Allow is selected:

0: nothing

4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send event.

8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy.

When Type Deny is selected:

0: nothing

4: disable AuditDenied for this Entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notification.

When Type AuditAllowed is selected:

0: nothing

1: nothing

2: send event

When Type AuditDenied is selected:

0: nothing

1: show notification

2: send event

3: show notification and send event

AccessMask Defines the access. Disk level access:

1: Read

2: Write

4: Execute

File system level access:

8: File system Read

16: File system Write

32: File system Execute

You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.

Parameters Condition for this Entry, for example Network condition. Can add groups (non Devices type) or even put Parameters into Parameters. See Parameters properties table below to get details.

The following table lists the properties you can use in Parameters:

Property Name Description Options
MatchType When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. MatchAll: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.

MatchAny: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical DeviceID or InstanceID value.

MatchExcludeAll: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value.

MatchExcludeAny: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.

File

VPN Connection

Network

You can use one or multiple File or Network or VPN Connection group(s) as parameter for this Entry, and then define MatchType for the relationship between those groups.
Parameters You can embed Parameters inside Parameters with MatchType.

For specific guidance, see:

Article Description
Deploying Removable Storage Access Control by using Group Policy Use Group Policy to deploy the policy.
Deploying Removable Storage Access Control by using Intune OMA-URI Use Intune to deploy the policy.

View data in Microsoft Defender for Endpoint

The Microsoft 365 Defender portal shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:

  • Microsoft 365 for E5 reporting

If AuditAllowed or AuditDenied is configured in your policy and Send event is selected in Options, an event will be sent to Advanced hunting or the Device control report for every covered access (AccessMask in the entry), regardless of whether it was initiated by the system or by the user who signed in.

//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed=parse_json(AdditionalFields)
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize
| order by Timestamp desc
//information of the evidence file
DeviceEvents
| where ActionType contains "RemovableStorageFileEvent"
| extend parsed=parse_json(AdditionalFields)
| extend Policy = tostring(parsed.Policy)
| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaInstanceId = tostring(parsed.InstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)
| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields
| order by Timestamp desc