Skip to content

Latest commit

 

History

History
328 lines (237 loc) · 9.69 KB

Scenario 8 Audit Read_Intune.md

File metadata and controls

328 lines (237 loc) · 9.69 KB

Device control policy sample: Scenario 8

Description: This is a policy.
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Audit Read Activity
  • Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)
    		Allow - - - - - None (0) -
    Audit Allowed 📄 - - - - - Send event (2) -

    Groups

    Any Removable Storage and CD-DVD and WPD Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    PrimaryId RemovableMediaDevices
    PrimaryId CdRomDevices
    PrimaryId WpdDevices
    View XML 
    <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

    Settings

    Setting Name Setting Value Description Documentation
    DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
    DeviceControlEnabled True Enables/disables device control documentation

    Files

    This policy is based on information in the following files:

    Deployment Instructions

    Device control policy rules and groups can be deployed through the following management tools:

    Windows

    Intune UX

    Create a reusable setting for Any Removable Storage and CD-DVD and WPD Group_1

    1. Navigate to Home > Endpoint Security > Attack Surface Reduction

    2. Click on Reusable Settings

    3. Click (+) Add

    4. Enter the Any Removable Storage and CD-DVD and WPD Group_1 for the name.

    5. Optionally, enter a description

    6. Click on "Next"

    7. Set the match type toggle to MatchAny

    8. Click "Next"

    9. Click "Add"

    Create a Device Control Rules configuration profile
    1. Navigate to Home > Endpoint Security > Attack Surface Reduction
    2. Click on "Create Policy"
    3. Under Platform, select "Windows 10 and later"
    4. Under Profile, select "Device Control Rules"
    5. Click "Create"
    6. Under Name, enter **
    7. Optionally, enter a description
    8. Click "Next"
    Add a rule for Audit Read Activity to the policy

    1. Click on "+ Set reusable settings" under Included Id

    2. Click on Any Removable Storage and CD-DVD and WPD Group_1

    3. Click on "Select"

    4. Click on "+ Edit Entry"

    5. Enter Audit Read Activity for the name

    6. Select Allow from "Type"

    7. Select None from "Options"

    8. Select Read from "Access mask"

    9. Add another entry. Click on "+ Add"

    10. Select Audit Allowed from "Type"

    11. Select Send event from "Options"

    12. Select Read from "Access mask"

    13. Click "OK"

    Group Policy (GPO)

    Define device control policy groups
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
    2. Save the XML below to a network share.
    <Groups>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>
    1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
    Define device control policy rules
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
    2. Save the XML below to a network share.
    <PolicyRules>
	<PolicyRule Id="{4dd8a057-9c58-4a86-8fc2-0d7989d7ce6c}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B4dd8a057-9c58-4a86-8fc2-0d7989d7ce6c%7D/RuleData -->
		<Name>Audit Read Activity</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{27c79875-25d2-4765-aec2-cb2d1000613f}">
			<Type>Allow</Type>
			<AccessMask>1</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{684abbdd-000d-4565-b44c-550bc3d71034}">
			<Type>AuditAllowed</Type>
			<AccessMask>1</AccessMask>
			<Options>2</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
    1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Intune Custom Settings

    Create custom intune configuration
    1. Navigate to Devices > Configuration profiles
    2. Click Create (New Policy)
    3. Select Platform "Windows 10 and Later"
    4. Select Profile "Templates"
    5. Select Template Name "Custom"
    6. Click "Create"
    7. Under Name, enter **
    8. Optionally, enter a description
    9. Click "Next"
    Add a row for Audit Read Activity

    1. Click "Add"

    2. For Name, enter Audit Read Activity

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B4dd8a057-9c58-4a86-8fc2-0d7989d7ce6c%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Scenario 8 Audit Read_Intune.xml

    7. Click "Save"

    Add a row for Any Removable Storage and CD-DVD and WPD Group_0

    1. Click "Add"

    2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml

    7. Click "Save"

    Add a row for DefaultEnforcement

    1. Click "Add"

    2. For Name, enter DefaultEnforcement

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

    5. For Data type, select Integer

    6. For Value, enter 2

    7. Click "Save"

    Add a row for DeviceControlEnabled

    1. Click "Add"

    2. For Name, enter DeviceControlEnabled

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"