Skip to content

Latest commit

 

History

History
466 lines (341 loc) · 14.2 KB

Scenario 5 Block Wirte and Execute but allow specific user access and approved USB.md

File metadata and controls

466 lines (341 loc) · 14.2 KB
Raw

Device control policy sample: Scenario 5

Description: This is a policy.
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Block Wirte and Execute but allow specific user and approved USB
  • Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)
Allow - - - - None (0)
View User: xxxxxxxx
Audit Allowed - 📄 📄 - - - Send event (2)
View User: xxxxxxxx
Deny - - - - None (0) -
Audit Denied - 📄 📄 - - - Show notification and Send event (3) -

Groups

Any Removable Storage and CD-DVD and WPD Group_1

This is a group of type Device. The match type for the group is MatchAny.

Property Value
PrimaryId RemovableMediaDevices
PrimaryId CdRomDevices
PrimaryId WpdDevices
View XML 
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

Approved USBs Group_1

This is a group of type Device. The match type for the group is MatchAny.

Property Value
InstancePathId USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0
View XML 
<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
	<Name>Approved USBs Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
	</DescriptorIdList>
</Group>

Settings

Setting Name Setting Value Description Documentation
DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
DeviceControlEnabled True Enables/disables device control documentation

Files

This policy is based on information in the following files:

Deployment Instructions

Device control policy rules and groups can be deployed through the following management tools:

Windows

Intune UX

Create a reusable setting for Any Removable Storage and CD-DVD and WPD Group_1

  1. Navigate to Home > Endpoint Security > Attack Surface Reduction

  2. Click on Reusable Settings

  3. Click (+) Add

  4. Enter the Any Removable Storage and CD-DVD and WPD Group_1 for the name.

  5. Optionally, enter a description

  6. Click on "Next"

  7. Set the match type toggle to MatchAny

  8. Click "Next"

  9. Click "Add"

Create a reusable setting for Approved USBs Group_1

  1. Navigate to Home > Endpoint Security > Attack Surface Reduction

  2. Click on Reusable Settings

  3. Click (+) Add

  4. Enter the Approved USBs Group_1 for the name.

  5. Optionally, enter a description

  6. Click on "Next"

  7. Set the match type toggle to MatchAny

  8. Click "Next"

  9. Click "Add"

Create a Device Control Rules configuration profile
  1. Navigate to Home > Endpoint Security > Attack Surface Reduction
  2. Click on "Create Policy"
  3. Under Platform, select "Windows 10 and later"
  4. Under Profile, select "Device Control Rules"
  5. Click "Create"
  6. Under Name, enter **
  7. Optionally, enter a description
  8. Click "Next"
Add a rule for Block Wirte and Execute but allow specific user and approved USB to the policy

  1. Click on "+ Set reusable settings" under Included Id

  2. Click on Any Removable Storage and CD-DVD and WPD Group_1

  3. Click on "Select"

  4. Click on "+ Set reusable settings" under Excluded Id

  5. Click on Approved USBs Group_1

  6. Click on "Select"

  7. Click on "+ Edit Entry"

  8. Enter Block Wirte and Execute but allow specific user and approved USB for the name

  9. Select Allow from "Type"

  10. Select None from "Options"

  11. Select Write and Execute from "Access mask"

  12. Enter xxxxxxxx for "Sid"

  13. Add another entry. Click on "+ Add"

  14. Select Audit Allowed from "Type"

  15. Select Send event from "Options"

  16. Select Write and Execute from "Access mask"

  17. Enter xxxxxxxx for "Sid"

  18. Add another entry. Click on "+ Add"

  19. Select Deny from "Type"

  20. Select None from "Options"

  21. Select Write and Execute from "Access mask"

  22. Add another entry. Click on "+ Add"

  23. Select Audit Denied from "Type"

  24. Select Show notification and Send event from "Options"

  25. Select Write and Execute from "Access mask"

  26. Click "OK"

Group Policy (GPO)

Define device control policy groups
  1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
  2. Save the XML below to a network share.
<Groups>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
	<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
		<Name>Approved USBs Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
		</DescriptorIdList>
	</Group>
</Groups>
  1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
Define device control policy rules
  1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
  2. Save the XML below to a network share.
<PolicyRules>
	<PolicyRule Id="{83c390b6-b01e-4d83-8834-c8015a2316f2}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B83c390b6-b01e-4d83-8834-c8015a2316f2%7D/RuleData -->
		<Name>Block Wirte and Execute but allow specific user and approved USB</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
			<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
		</ExcludedIdList>
		<Entry Id="{5d660ff3-a19f-47ae-8779-ca6a989d9780}">
			<Type>Allow</Type>
			<AccessMask>6</AccessMask>
			<Options>0</Options>
			<Sid>xxxxxxxx</Sid>
		</Entry>
		<Entry Id="{f9f6d219-1332-4c64-b6cb-2e14c65cd243}">
			<Type>AuditAllowed</Type>
			<AccessMask>6</AccessMask>
			<Options>2</Options>
			<Sid>xxxxxxxx</Sid>
		</Entry>
		<Entry Id="{07234f5c-304f-4073-a332-2434cd269816}">
			<Type>Deny</Type>
			<AccessMask>6</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{b2827dd5-db81-48d8-8cde-fb2c84a8367f}">
			<Type>AuditDenied</Type>
			<AccessMask>6</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
  1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

Intune Custom Settings

Create custom intune configuration
  1. Navigate to Devices > Configuration profiles
  2. Click Create (New Policy)
  3. Select Platform "Windows 10 and Later"
  4. Select Profile "Templates"
  5. Select Template Name "Custom"
  6. Click "Create"
  7. Under Name, enter **
  8. Optionally, enter a description
  9. Click "Next"
Add a row for Block Wirte and Execute but allow specific user and approved USB

  1. Click "Add"

  2. For Name, enter Block Wirte and Execute but allow specific user and approved USB

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B83c390b6-b01e-4d83-8834-c8015a2316f2%7D/RuleData

  5. For Data type, select String (XML File)

  6. For Custom XML, select windows/device/Intune OMA-URI/Scenario 5 Block Wirte and Execute but allow specific user access and approved USB.xml

  7. Click "Save"

Add a row for Any Removable Storage and CD-DVD and WPD Group_0

  1. Click "Add"

  2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

  5. For Data type, select String (XML File)

  6. For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml

  7. Click "Save"

Add a row for Approved USBs Group_0

  1. Click "Add"

  2. For Name, enter Approved USBs Group_0

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData

  5. For Data type, select String (XML File)

  6. For Custom XML, select windows/device/Intune OMA-URI/Approved USBs Group.xml

  7. Click "Save"

Add a row for DefaultEnforcement

  1. Click "Add"

  2. For Name, enter DefaultEnforcement

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

  5. For Data type, select Integer

  6. For Value, enter 2

  7. Click "Save"

Add a row for DeviceControlEnabled

  1. Click "Add"

  2. For Name, enter DeviceControlEnabled

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

  5. For Data type, select Integer

  6. For Value, enter 1

  7. Click "Save"