diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ab27a7496a..4266ad036b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -123,10 +123,12 @@ ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) ###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) -##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +##### Device control +###### [Control USB devices](device-control/control-usb-devices-using-intune.md) +###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) +######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md new file mode 100644 index 0000000000..c46d27571f --- /dev/null +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -0,0 +1,86 @@ +--- +title: How to control USB devices and other removable media using Intune (Windows 10) +description: You can configure Intune settings to reduce threats from removable storage such as USB devices. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +ms.author: justinha +author: justinha +ms.date: 11/12/2018 +--- + +# How to control USB devices and other removable media using Intune + +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +You can configure Intune settings to reduce threats from removable storage such as USB devices, including: + +- [Block unwanted removeable storage](#block-unwanted-removable-storage) +- [Protect allowed removable storage](#protect-allowed-removable-storage) + +Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +We recommend enabling real-time protection for improved scanning performance, especialy for large storage devices. +If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. +You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. + +> [!NOTE] +> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device. + +## Block unwanted removeable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Windows 10 Device Configuration + - Description: Block removeable storage and USB connections + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies. + +## Protect allowed removable storage + +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 or later + - Profile type: Endpoint protection + + ![Create enpoint protection profile](images/create-endpoint-protection-profile.png) + +4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. + +5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. + + ![Block untrusted processes](images/block-untrusted-processes.png) + +6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. + +7. Click **Create** to save the profile. \ No newline at end of file diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png new file mode 100644 index 0000000000..3080e0d1f0 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png new file mode 100644 index 0000000000..9d295dfa6b Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png new file mode 100644 index 0000000000..1e0f0587a3 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png new file mode 100644 index 0000000000..eaba30b27f Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png new file mode 100644 index 0000000000..ada168228e Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png new file mode 100644 index 0000000000..152822dc29 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index efe244b001..1bda153a18 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -6,6 +6,12 @@ ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) ##### [System isolation](how-hardware-based-containers-help-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) +#### Device control +##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) +##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) +####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) #### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)