Skip to content

Latest commit

 

History

History
316 lines (231 loc) · 9.25 KB

deny_all_rules.md

File metadata and controls

316 lines (231 loc) · 9.25 KB

Device control policy sample: Step 1 - Deny all access

Description: A sample policy
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Audit Deny
    		Deny - - - None (0) -
    Audit Denied 📄 📄 📄 - - - Show notification and Send event (3) -

    Groups

    All removable media devices

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    PrimaryId RemovableMediaDevices
    View XML 
    <Group Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd8819053-24f4-444a-a0fb-9ce5a9e97862%7D/GroupData -->
	<Name>All removable media devices</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
	</DescriptorIdList>
</Group>

    Settings

    Setting Name Setting Value Documentation
    DefaultEnforcement Deny documentation
    DeviceControlEnabled True documentation

    Files

    This policy is based on information in the following files:

    Deployment Instructions

    Device control policy rules and groups can be deployed through the following management tools:

    Windows

    Intune UX

    Create a reusable setting for All removable media devices

    1. Navigate to Home > Endpoint Security > Attack Surface Reduction

    2. Click on Reusable Settings

    3. Click (+) Add

    4. Enter the All removable media devices for the name.

    5. Optionally, enter a description

    6. Click on "Next"

    7. Set the match type toggle to MatchAny

    8. Click "Next"

    9. Click "Add"

    Create a Device Control Rules configuration profile
    1. Navigate to Home > Endpoint Security > Attack Surface Reduction
    2. Click on "Create Policy"
    3. Under Platform, select "Windows 10 and later"
    4. Under Profile, select "Device Control Rules"
    5. Click "Create"
    6. Under Name, enter **
    7. Optionally, enter a description
    8. Click "Next"
    Add a rule for Audit Deny to the policy

    1. Click on "+ Set reusable settings" under Included Id

    2. Click on All removable media devices

    3. Click on "Select"

    4. Click on "+ Edit Entry"

    5. Enter Audit Deny for the name

    6. Select Deny from "Type"

    7. Select None from "Options"

    8. Select Read, Write and Execute from "Access mask"

    9. Add another entry. Click on "+ Add"

    10. Select Audit Denied from "Type"

    11. Select Show notification and Send event from "Options"

    12. Select Read, Write and Execute from "Access mask"

    13. Click "OK"

    Group Policy (GPO)

    Define device control policy groups
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
    2. Save the XML below to a network share.
    <Groups>
	<Group Id="{d8819053-24f4-444a-a0fb-9ce5a9e97862}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd8819053-24f4-444a-a0fb-9ce5a9e97862%7D/GroupData -->
		<Name>All removable media devices</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>
    1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
    Define device control policy rules
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
    2. Save the XML below to a network share.
    <PolicyRules>
	<PolicyRule Id="{d8e6f56c-f4c1-4875-ac45-51ad75d4580e}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bd8e6f56c-f4c1-4875-ac45-51ad75d4580e%7D/RuleData -->
		<Name>Audit Deny</Name>
		<IncludedIdList>
			<GroupId>{d8819053-24f4-444a-a0fb-9ce5a9e97862}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{ad059b6f-bc9d-44e4-8ab9-907d7d00fc97}">
			<Type>Deny</Type>
			<AccessMask>7</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{4cf50b77-0152-4999-8d82-6f6afdf27b0b}">
			<Type>AuditDenied</Type>
			<AccessMask>7</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
    1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Intune Custom Settings

    Create custom intune configuration
    1. Navigate to Devices > Configuration profiles
    2. Click Create (New Policy)
    3. Select Platform "Windows 10 and Later"
    4. Select Profile "Templates"
    5. Select Template Name "Custom"
    6. Click "Create"
    7. Under Name, enter **
    8. Optionally, enter a description
    9. Click "Next"
    Add a row for Audit Deny

    1. Click "Add"

    2. For Name, enter Audit Deny

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bd8e6f56c-f4c1-4875-ac45-51ad75d4580e%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows\Getting Started\Intune OMA-URI\audit_deny{d8e6f56c-f4c1-4875-ac45-51ad75d4580e}.xml

    7. Click "Save"

    Add a row for All removable media devices

    1. Click "Add"

    2. For Name, enter All removable media devices

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd8819053-24f4-444a-a0fb-9ce5a9e97862%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows\Getting Started\Intune OMA-URI\all_removable_media_devices{d8819053-24f4-444a-a0fb-9ce5a9e97862}.xml

    7. Click "Save"

    Add a row for DefaultEnforcement

    1. Click "Add"

    2. For Name, enter DefaultEnforcement

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

    5. For Data type, select Integer

    6. For Value, enter 2

    7. Click "Save"

    Add a row for DeviceControlEnabled

    1. Click "Add"

    2. For Name, enter DeviceControlEnabled

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"