Skip to content

Latest commit

 

History

History
249 lines (180 loc) · 7.13 KB

Scenario 7 WPD Policy Sample, e.md

File metadata and controls

249 lines (180 loc) · 7.13 KB
Raw

Device control policy sample: Scenario 7

Description: This is a policy.
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Deny Wpd Write
  • PrimaryId: WpdDevices
  • DeviceId: USB\VID_04E8&PID_6860&MS_COMP_MTP&SAMSUNG_ANDROID
Deny - - - - - None (0) -
Audit Denied - 📄 - - - - Show notification and Send event (3) -

Groups

Settings

Setting Name Setting Value Description Documentation
DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
DeviceControlEnabled True Enables/disables device control documentation

Files

This policy is based on information in the following files:

Deployment Instructions

Device control policy rules and groups can be deployed through the following management tools:

Windows

Intune UX

Create a Device Control Rules configuration profile
  1. Navigate to Home > Endpoint Security > Attack Surface Reduction
  2. Click on "Create Policy"
  3. Under Platform, select "Windows 10 and later"
  4. Under Profile, select "Device Control Rules"
  5. Click "Create"
  6. Under Name, enter **
  7. Optionally, enter a description
  8. Click "Next"
Add a rule for Deny Wpd Write to the policy

  1. Click on "+ Edit Entry"

  2. Enter Deny Wpd Write for the name

  3. Select Deny from "Type"

  4. Select None from "Options"

  5. Select Write from "Access mask"

  6. Add another entry. Click on "+ Add"

  7. Select Audit Denied from "Type"

  8. Select Show notification and Send event from "Options"

  9. Select Write from "Access mask"

  10. Click "OK"

Group Policy (GPO)

Define device control policy groups
  1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
  2. Save the XML below to a network share.
<Groups>
</Groups>
  1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
Define device control policy rules
  1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
  2. Save the XML below to a network share.
<PolicyRules>
	<PolicyRule Id="{b8615f3d-a41e-4c70-a70a-88e7b7aa7768}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb8615f3d-a41e-4c70-a70a-88e7b7aa7768%7D/RuleData -->
		<Name>Deny Wpd Write</Name>
		<IncludedIdList>
			<PrimaryId>WpdDevices</PrimaryId>
		</IncludedIdList>
		<ExcludedIdList>
			<DeviceId>USB\VID_04E8&PID_6860&MS_COMP_MTP&SAMSUNG_ANDROID</DeviceId>
		</ExcludedIdList>
		<Entry Id="{ae40741a-cc96-42b7-9dab-f5ba59adef8a}">
			<Type>Deny</Type>
			<AccessMask>2</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{ae40741a-cc96-42b7-9dab-f5ba59adef8a}">
			<Type>AuditDenied</Type>
			<AccessMask>2</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
  1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

Intune Custom Settings

Create custom intune configuration
  1. Navigate to Devices > Configuration profiles
  2. Click Create (New Policy)
  3. Select Platform "Windows 10 and Later"
  4. Select Profile "Templates"
  5. Select Template Name "Custom"
  6. Click "Create"
  7. Under Name, enter **
  8. Optionally, enter a description
  9. Click "Next"
Add a row for Deny Wpd Write

  1. Click "Add"

  2. For Name, enter Deny Wpd Write

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb8615f3d-a41e-4c70-a70a-88e7b7aa7768%7D/RuleData

  5. For Data type, select String (XML File)

  6. For Custom XML, select windows/device/Intune OMA-URI/Scenario 7 WPD Policy Sample, e.g. iPhone.xml

  7. Click "Save"

Add a row for DefaultEnforcement

  1. Click "Add"

  2. For Name, enter DefaultEnforcement

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

  5. For Data type, select Integer

  6. For Value, enter 2

  7. Click "Save"

Add a row for DeviceControlEnabled

  1. Click "Add"

  2. For Name, enter DeviceControlEnabled

  3. For Description, enter **

  4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

  5. For Data type, select Integer

  6. For Value, enter 1

  7. Click "Save"