Skip to content

Latest commit

 

History

History
393 lines (301 loc) · 13.2 KB

Scenario 1 GPO Policy - Prevent Write and Execute access to all but allow specific approved USBs.md

File metadata and controls

393 lines (301 loc) · 13.2 KB

Device control policy sample: Scenario 1

Description: Prevent Write and Execute access to all but allow specific approved USBs
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Audit Write and Execute access to aproved USBs
    		Allow - - None (0) -
    Audit Allowed - 📄 📄 - 📄 📄 Send event (2) -
    Block Write and Execute Access
    • Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)
    		Deny - - - - None (0) -
    Audit Denied - 📄 📄 - - - Show notification and Send event (3) -

    Groups

    Approved USBs Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    InstancePathId USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0
    View XML 
    <Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
	<Name>Approved USBs Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
	</DescriptorIdList>
</Group>

    Any Removable Storage and CD-DVD and WPD Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    PrimaryId RemovableMediaDevices
    PrimaryId CdRomDevices
    PrimaryId WpdDevices
    View XML 
    <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

    Settings

    Setting Name Setting Value Description Documentation
    DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
    DeviceControlEnabled True Enables/disables device control documentation

    Files

    This policy is based on information in the following files:

    Deployment Instructions

    Device control policy rules and groups can be deployed through the following management tools:

    Windows

    Intune UX

    Intune UX is not supported for this policy because:

    • File Write (16) is an unsupported access mask
    • File Execute (32) is an unsupported access mask

    Use Intune custom settings to deploy the policy instead.

    Group Policy (GPO)

    Define device control policy groups
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
    2. Save the XML below to a network share.
    <Groups>
	<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
		<Name>Approved USBs Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
		</DescriptorIdList>
	</Group>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>
    1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
    Define device control policy rules
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
    2. Save the XML below to a network share.
    <PolicyRules>
	<PolicyRule Id="{36ae1037-a639-4cff-946b-b36c53089a4c}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B36ae1037-a639-4cff-946b-b36c53089a4c%7D/RuleData -->
		<Name>Audit Write and Execute access to aproved USBs</Name>
		<IncludedIdList>
			<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{a0bcff88-b8e4-4f48-92be-16c36adac930}">
			<Type>Allow</Type>
			<AccessMask>54</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{4a17df0b-d89d-430b-9cbe-8e0721192281}">
			<Type>AuditAllowed</Type>
			<AccessMask>54</AccessMask>
			<Options>2</Options>
		</Entry>
	</PolicyRule>
	<PolicyRule Id="{c544a991-5786-4402-949e-a032cb790d0e}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bc544a991-5786-4402-949e-a032cb790d0e%7D/RuleData -->
		<Name>Block Write and Execute Access</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
			<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
		</ExcludedIdList>
		<Entry Id="{f8ddbbc5-8855-4776-a9f4-ee58c3a21414}">
			<Type>Deny</Type>
			<AccessMask>6</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{07e22eac-8b01-4778-a567-a8fa6ce18a0c}">
			<Type>AuditDenied</Type>
			<AccessMask>6</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
    1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Intune Custom Settings

    Create custom intune configuration
    1. Navigate to Devices > Configuration profiles
    2. Click Create (New Policy)
    3. Select Platform "Windows 10 and Later"
    4. Select Profile "Templates"
    5. Select Template Name "Custom"
    6. Click "Create"
    7. Under Name, enter **
    8. Optionally, enter a description
    9. Click "Next"
    Add a row for Audit Write and Execute access to aproved USBs

    1. Click "Add"

    2. For Name, enter Audit Write and Execute access to aproved USBs

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B36ae1037-a639-4cff-946b-b36c53089a4c%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/audit_write_and_execute_access_to_aproved_usbs{36ae1037-a639-4cff-946b-b36c53089a4c}.xml

    7. Click "Save"

    Add a row for Block Write and Execute Access

    1. Click "Add"

    2. For Name, enter Block Write and Execute Access

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bc544a991-5786-4402-949e-a032cb790d0e%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/block_write_and_execute_access{c544a991-5786-4402-949e-a032cb790d0e}.xml

    7. Click "Save"

    Add a row for Approved USBs Group_0

    1. Click "Add"

    2. For Name, enter Approved USBs Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Approved USBs Group.xml

    7. Click "Save"

    Add a row for Any Removable Storage and CD-DVD and WPD Group_0

    1. Click "Add"

    2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml

    7. Click "Save"

    Add a row for DefaultEnforcement

    1. Click "Add"

    2. For Name, enter DefaultEnforcement

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

    5. For Data type, select Integer

    6. For Value, enter 2

    7. Click "Save"

    Add a row for DeviceControlEnabled

    1. Click "Add"

    2. For Name, enter DeviceControlEnabled

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"