Description: This is a policy.
Device Type: Windows Removable Device
A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.
| Name | Devices | Rule Type | Access | Notification | Conditions | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Included | Excluded | Disk Read | Disk Write | Disk Execute | File Read | File Write | File Execute | ||||
| Authorized removable storage policy |
|
|
Deny | - | - | - | ❌ | - | ❌ | None (0) |
ViewMatchAll:
|
| Allow | - | - | - | - | ✅ | - | Create file evidence with file (8) |
ViewUser: xxxxx |
|||
| Allow | - | ✅ | - | - | - | - | None (0) |
ViewUser: xxxxx |
|||
| Allow | ✅ | - | ✅ | ✅ | - | ✅ | None (0) | - | |||
| Audit Allowed | - | 📄 | 📄 | - | 📄 | 📄 | Send event (2) | - | |||
| Deny | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | None (0) | - | |||
| Audit Denied | 📄 | 📄 | 📄 | - | - | - | Show notification and Send event (3) | - | |||
| Authorized removable storage policy |
|
|
Deny | - | - | - | ❌ | - | ❌ | None (0) |
ViewMatchAll:
|
| Allow | ✅ | - | ✅ | ✅ | - | ✅ | None (0) | - | |||
| Audit Allowed | - | 📄 | 📄 | - | 📄 | 📄 | Send event (2) | - | |||
| Deny | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | None (0) | - | |||
| Audit Denied | 📄 | 📄 | 📄 | - | - | - | Show notification and Send event (3) | - | |||
This is a group of type Device. The match type for the group is MatchAny.
| Property | Value |
|---|---|
| InstancePathId | USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0 |
View XML
<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
<Name>Approved USBs Group_1</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<InstancePathId>USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0</InstancePathId>
</DescriptorIdList>
</Group>This is a group of type File. The match type for the group is MatchAny.
| Property | Value |
|---|---|
| PathId | *.exe |
| PathId | *.dll |
View XML
<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData -->
<Name>Block Read and Write access to specific file _Groups_2</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PathId>*.exe</PathId>
<PathId>*.dll</PathId>
</DescriptorIdList>
</Group>This is a group of type Device. The match type for the group is MatchAny.
| Property | Value |
|---|---|
| PrimaryId | RemovableMediaDevices |
| PrimaryId | CdRomDevices |
| PrimaryId | WpdDevices |
View XML
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
<Name>Any Removable Storage and CD-DVD and WPD Group_0</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>| Setting Name | Setting Value | Description | Documentation |
|---|---|---|---|
| DefaultEnforcement | Deny | Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. | documentation |
| DeviceControlEnabled | True | Enables/disables device control | documentation |
This policy is based on information in the following files:
- Group Policy/Block Read and Write access to specific file _Groups.xml
- Group Policy/Demo_2_Policies.xml
- Group Policy/Approved USBs Group.xml
- Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml
Device control policy rules and groups can be deployed through the following management tools:
Intune UX is not supported for this policy because:
- File Read (8) is an unsupported access mask
- Create file evidence with file is an unsupported notification.
- File Execute (32) is an unsupported access mask
- File Write (16) is an unsupported access mask
- Windows File groups not supported.
- Parameters are not supported
Use Intune custom settings to deploy the policy instead.
Define device control policy groups
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
- Save the XML below to a network share.
<Groups>
<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
<Name>Approved USBs Group_1</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<InstancePathId>USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0</InstancePathId>
</DescriptorIdList>
</Group>
<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData -->
<Name>Block Read and Write access to specific file _Groups_2</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PathId>*.exe</PathId>
<PathId>*.dll</PathId>
</DescriptorIdList>
</Group>
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
<Name>Any Removable Storage and CD-DVD and WPD Group_0</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>
</Groups>- In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
Define device control policy rules
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
- Save the XML below to a network share.
<PolicyRules>
<PolicyRule Id="{6f3f8bbb-607f-4ed5-96af-51e3428db8f7}" >
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B6f3f8bbb-607f-4ed5-96af-51e3428db8f7%7D/RuleData -->
<Name>Authorized removable storage policy</Name>
<IncludedIdList>
<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
</IncludedIdList>
<ExcludedIdList>
</ExcludedIdList>
<Entry Id="{9f421985-127d-4819-ae64-84b4d526e6d5}">
<Type>Deny</Type>
<AccessMask>40</AccessMask>
<Options>0</Options>
<Parameters MatchType="MatchAll">
<File MatchType="MatchAny">
<GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30f}</GroupId>
</File>
</Parameters>
</Entry>
<Entry Id="{49eb971a-8ef5-4db0-a790-27163447d5c3}">
<Type>Allow</Type>
<AccessMask>16</AccessMask>
<Options>8</Options>
<Sid>xxxxx</Sid>
</Entry>
<Entry Id="{cf378fd0-ef21-4a17-b101-20ad0909e91a}">
<Type>Allow</Type>
<AccessMask>2</AccessMask>
<Options>0</Options>
<Sid>xxxxx</Sid>
</Entry>
<Entry Id="{94325d58-0a7b-4ef6-868f-765a0673777e}">
<Type>Allow</Type>
<AccessMask>45</AccessMask>
<Options>0</Options>
</Entry>
<Entry Id="{11ba2408-3ad9-4a8e-9d57-c069eff74d00}">
<Type>AuditAllowed</Type>
<AccessMask>54</AccessMask>
<Options>2</Options>
</Entry>
<Entry Id="{0ee3bb3f-7fe7-48fa-972d-6eefd85d66e9}">
<Type>Deny</Type>
<AccessMask>63</AccessMask>
<Options>0</Options>
</Entry>
<Entry Id="{bf1b0973-7ea6-4a31-a7c3-5022baa9ea1a}">
<Type>AuditDenied</Type>
<AccessMask>7</AccessMask>
<Options>3</Options>
</Entry>
</PolicyRule>
<PolicyRule Id="{3984f1f4-7f66-4848-96de-491e2d038b07}" >
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B3984f1f4-7f66-4848-96de-491e2d038b07%7D/RuleData -->
<Name>Authorized removable storage policy</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList>
<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
</ExcludedIdList>
<Entry Id="{3d15f184-1f3b-4a32-b5b6-47b560b0c44b}">
<Type>Deny</Type>
<AccessMask>40</AccessMask>
<Options>0</Options>
<Parameters MatchType="MatchAll">
<File MatchType="MatchAny">
<GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30f}</GroupId>
</File>
</Parameters>
</Entry>
<Entry Id="{61e73502-ce08-4dab-80a3-d5847d21b651}">
<Type>Allow</Type>
<AccessMask>45</AccessMask>
<Options>0</Options>
</Entry>
<Entry Id="{69ae539b-66f7-4b3a-aaec-53982d2b5254}">
<Type>AuditAllowed</Type>
<AccessMask>54</AccessMask>
<Options>2</Options>
</Entry>
<Entry Id="{ac0c096f-f612-4c5d-a191-d39ea0093eea}">
<Type>Deny</Type>
<AccessMask>63</AccessMask>
<Options>0</Options>
</Entry>
<Entry Id="{2c03a431-ac9a-4cdb-b260-7dac59550a37}">
<Type>AuditDenied</Type>
<AccessMask>7</AccessMask>
<Options>3</Options>
</Entry>
</PolicyRule>
</PolicyRules>- In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.
Create custom intune configuration
- Navigate to Devices > Configuration profiles
- Click Create (New Policy)
- Select Platform "Windows 10 and Later"
- Select Profile "Templates"
- Select Template Name "Custom"
- Click "Create"
- Under Name, enter **
- Optionally, enter a description
- Click "Next"
Add a row for Authorized removable storage policy
-
Click "Add"
-
For Name, enter Authorized removable storage policy
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B6f3f8bbb-607f-4ed5-96af-51e3428db8f7%7D/RuleData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/device/Intune OMA-URI/authorized_removable_storage_policy{6f3f8bbb-607f-4ed5-96af-51e3428db8f7}.xml
-
Click "Save"
Add a row for Authorized removable storage policy
-
Click "Add"
-
For Name, enter Authorized removable storage policy
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B3984f1f4-7f66-4848-96de-491e2d038b07%7D/RuleData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/device/Intune OMA-URI/authorized_removable_storage_policy{3984f1f4-7f66-4848-96de-491e2d038b07}.xml
-
Click "Save"
Add a row for Approved USBs Group_0
-
Click "Add"
-
For Name, enter Approved USBs Group_0
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/device/Intune OMA-URI/Approved USBs Group.xml
-
Click "Save"
Add a row for Unauthorized File Group_0
-
Click "Add"
-
For Name, enter Unauthorized File Group_0
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/device/Intune OMA-URI/Unauthorized File Group.xml
-
Click "Save"
Add a row for Any Removable Storage and CD-DVD and WPD Group_0
-
Click "Add"
-
For Name, enter Any Removable Storage and CD-DVD and WPD Group_0
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml
-
Click "Save"
Add a row for DefaultEnforcement
-
Click "Add"
-
For Name, enter DefaultEnforcement
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
-
For Data type, select Integer
-
For Value, enter 2
-
Click "Save"
Add a row for DeviceControlEnabled
-
Click "Add"
-
For Name, enter DeviceControlEnabled
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled
-
For Data type, select Integer
-
For Value, enter 1
-
Click "Save"