Microsoft Defender for Endpoint Device Control Removable Storage Access Control
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Note
The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint.
Overview
Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage with or without exclusions.
| Privilege | Permission |
|---|---|
| Access | Read, Write, Execute |
| Action Mode | Audit, Allow, Prevent |
| CSP Support | Yes |
| GPO Support | Yes |
| User-based Support | Yes |
| Machine-based Support | Yes |
Prepare your endpoints
Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version 4.18.2103.3 or later.
4.18.2104 or later: Add
SerialNumberId,VID_PID, filepath-based GPO support, andComputerSid4.18.2105 or later: Add Wildcard support for
HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support4.18.2107 or later: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add
AccountNameinto advanced hunting4.18.2205 or later: Expand the default enforcement to Printer. If you set it to Deny, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer
4.18.2207 or later: Add File support, the common use case can be: block people from Read/Write/Execute access specific file on removable storage; add Network and VPN Connection support, the common use case can be: block people from access removable storage when the machine isn't connecting corporate network.
Note
None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
Device Control Removable Storage Access Control properties
The Removable Storage Access Control includes Removable storage group creation and access policy rule creation:
- Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group.
- Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.
- To block a specific removable storage class but allow specific media, you can use
IncludedIdLista group throughPrimaryIdandExcludedIDLista group throughDeviceId/HardwareId/etc.For more information, see Deploy Removable Storage Access Control by using Intune OMA-URI.
Here are the properties you can use when you create the group and policy XML files.
Group
Group includes following types:
- Device: if there's an explicit type setting, this setting is the default, including removable storage and Printer.
- Network
- VPN Connection
The following table lists the properties you can use in Group:
| Property Name | Description | Options |
|---|---|---|
| GroupId | GUID, a unique ID, represents the group and will be used in the policy. | You can generate the ID through PowerShell. |
| Type | The type of the group. | File Device Note: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File". |
| DescriptorIdList | List the device properties you want to use to cover in the group. All properties are case sensitive. | PrimaryId: The Primary ID includes RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices. InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, DeviceId: To transform HardwareId: A string that identifies the device in the system, for example, FriendlyNameId: It's a string attached to the device, for example, BusId: For example, USB, SCSI SerialNumberId: You can find SerialNumberId from VID_PID: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform NameId: The name of the Network or VPN Connection, support wildcard and only applicable for Network type or VPN Connection type Group. NetworkCategoryId: only applicable for Network type Group and includes NetworkDomainId: only applicable for Network type Group and includes VPNConnectionStatusId: only applicable for VPN Connection type Group and includes VPNServerAddressId: string, value of VPNServerAddress, support wildcard and only applicable for VPN Connection type Group. VPNDnsSuffixId: string, value of VPNDnsSuffix, support wildcard and only applicable for VPN Connection type Group. PathId: string, value of file path or name, support wildcard and only applicable for File type Group. Note: See How do I find the media property in the Device Manager? to understand how to find the property in Device Manager. |
| MatchType | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. |
MatchAll: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. MatchAny: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts MatchExcludeAll: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. MatchExcludeAny: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value. |
Access policy rule
Every access policy rule called PolicyRule can be used to define access restriction for each group through multiple Entry.
The following table lists the properties you can use in PolicyRule:
| Property Name | Description | Options |
|---|---|---|
| PolicyRule Id | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the ID through PowerShell. |
| Name | String, the name of the policy and will display on the toast based on the policy setting. | |
| IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the media must be a member of each group in the list to be included. | The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: |
| ExcludedIDList | The group(s) that the policy won't be applied to. If multiple groups are added, the media must be a member of a group in the list to be excluded. | The Group ID/GUID must be used at this instance. |
| Entry | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. | See Entry properties table below to get details. |
The following table lists the properties you can use in Entry:
| Property Name | Description | Options |
|---|---|---|
| Entry Id | GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting. | You can generate the ID through PowerShell. |
| Type | Defines the action for the removable storage groups in IncludedIDList. Enforcement: Allow or Deny Audit: AuditAllowed or AuditDenied |
Allow Deny AuditAllowed: Defines notification and event when access is allowed AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry. When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is Allow and Deny. |
| Sid | Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine. | |
| ComputerSid | Local computer Sid or computer Sid group or the Sid of the AD object or the Object Id of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |
| Options | Defines whether to display notification or not | When Type Allow is selected: 0: nothing 4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send event. 8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy. When Type Deny is selected: 0: nothing 4: disable AuditDenied for this Entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notification. When Type AuditAllowed is selected: 0: nothing 1: nothing 2: send event When Type AuditDenied is selected: 0: nothing 1: show notification 2: send event 3: show notification and send event |
| AccessMask | Defines the access. | Disk level access: 1: Read 2: Write 4: Execute File system level access: 8: File system Read 16: File system Write 32: File system Execute You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3. |
| Parameters | Condition for this Entry, for example Network condition. | Can add groups (non Devices type) or even put Parameters into Parameters. See Parameters properties table below to get details. |
The following table lists the properties you can use in Parameters:
| Property Name | Description | Options |
|---|---|---|
| MatchType | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. |
MatchAll: Any attributes under the DescriptorIdList will be And relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. MatchAny: The attributes under the DescriptorIdList will be Or relationship; for example, if administrator puts MatchExcludeAll: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. MatchExcludeAny: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value. |
| File VPN Connection Network |
You can use one or multiple File or Network or VPN Connection group(s) as parameter for this Entry, and then define MatchType for the relationship between those groups. | |
| Parameters | You can embed Parameters inside Parameters with MatchType. |
For specific guidance, see:
| Article | Description |
|---|---|
| Deploying Removable Storage Access Control by using Group Policy | Use Group Policy to deploy the policy. |
| Deploying Removable Storage Access Control by using Intune OMA-URI | Use Intune to deploy the policy. |
View data in Microsoft Defender for Endpoint
The Microsoft 365 Defender portal shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:
- Microsoft 365 E5
- Microsoft Defender for Endpoint Plan 2
If AuditAllowed or AuditDenied is configured in your policy and Send event is selected in Options, an event will be sent to Advanced hunting or the Device control report for every covered access (AccessMask in the entry), regardless of whether it was initiated by the system or by the user who signed in.
//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed=parse_json(AdditionalFields)
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize
| order by Timestamp desc
//information of the evidence file
DeviceEvents
| where ActionType contains "RemovableStorageFileEvent"
| extend parsed=parse_json(AdditionalFields)
| extend Policy = tostring(parsed.Policy)
| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaInstanceId = tostring(parsed.InstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)
| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields
| order by Timestamp desc
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Submit and view feedback for