deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added feedback from Jody

Browse Source
This commit is contained in:
Justin Hall
2018-12-11 08:13:31 -08:00
parent 013ed0ab44
commit 73cb53caab
1 changed files with 26 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
View File

@ -17,41 +17,47 @@ ms.date: 12/11/2018
Windows Defender ATP enables security administrators to view, prevent, and protect against unauthorized peripherals, such as cameras, removeable storage devices, and so on, from being used to compromise devices (i.e. Threat Infections) or being used to exfiltrate sensitive information (i.e. Data Loss Prevention).
- [View plug-and-play connected events in Windows Defender ATP advanced hunting](#view-plug-and-play-connected-events) to identify or investigate suspicious usage activity. Based on any WDATP event, you can customize alerts using a custom detection rule.
- [View plug and play connected events in Windows Defender ATP advanced hunting](#view-plug-and-play-connected-events) to identify or investigate suspicious usage activity. Based on any WDATP event, you can customize alerts using a [custom detection rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
- [Prevent or limit peripherals](#prevent-or-limit-peripherals) from being seen by or interacted with devices. Device installation restrictions can also be set to handle an active incident, such as immediately blocking a user or machines access to all removable storage. The following policy and configurations let you do this:
- Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
- [Protect against threats](#protect-against-threats) introduced through removable storage devices through enabling:
- Windows Defender Anti-Virus real-time protection (RTP) to scan removable storage for malware.
- Exploit Guards Attack Surface Reduction (ASR) USB Rule to block untrusted and unsigned processes that run from USB.
- Direct Memory Access Protection Settings including Kernel DMA Protection for Thunderbolt and Blocking Direct Memory Access until a user logs-on to protect devices against Direct Memory Access (DMA) attacks.
- [Protect against threats](#protect-against-threats) introduced by removable storage devices by enabling:
- [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
| Control | Description |
|----------|-------------|
| [Block installation of any removable storage device](#block-installation-of-any-removable-storage-device) | Users cannot install any removable storage device. |
| [Allow installation of specific device IDs](#allow-installation-of-specific-device-ids) | Users can install only specifically approved devices. |
| [Protect authorized removable storage devices](#protect-authorized-removable-storage) | Identify and block malicious files on authorized removable storage devices. |
To make sure removable storage is blocked or allowed as expected, we recommend trying these settings with a pilot group of users and devices, and refining the settings as needed before applying them in production.
You should block everything and allow only the removable storage properties of approved devices (such as vendor ID, and product ID) and limit users who need access because it is possible to spoof removable device properties.
For more information about controlling USB devices and other removable media, see the [Microsoft Secure blog](https://cloudblogs.microsoft.com/microsoftsecure/).
> [!NOTE]
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks.
## View plug-and-play connected events
## View plug and play connected events
You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
## Prevent or limit peripherals
## Protect against threats
WDATP can help reduce threats from removable storage such as USB devices.
The following table describes different scenarios for controlling installation and usage of removeable storage and other devices.
For more information about controlling USB devices, see the [Microsoft Secure blog](https://cloudblogs.microsoft.com/microsoftsecure/).
## Block installation of any removable storage device
| Control | Description |
|----------|-------------|
| [Block installation of any removable storage device](#block-installation-of-any-removable-storage-device) | Users can't install any removable storage device. |
| [Allow installation of specific device IDs](#allow-installation-of-specific-device-ids) | Users can install only specifically approved devices. |
To make sure removable storage is blocked or allowed as expected, we recommend trying these settings with a pilot group of users and devices, and refining the settings as needed before applying them in production.
You should block everything and allow only the removable storage properties of approved devices (such as vendor ID, and product ID) and limit users who need access because it is possible to spoof removable device properties.
### Block installation of any removable storage device
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
@ -77,7 +83,7 @@ For more information about controlling USB devices and other removable media, se
7. Click **Create** to save the profile.
## Allow installation of specific device IDs
### Allow installation of specific device IDs
Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies to allow or prevent the installation of specific types of removable devices.
@ -103,9 +109,9 @@ You must allow or prevent all of the device identification strings for that devi
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids).
## Protect authorized removable storage
## Protect against threats
If removable devices are allowed on devices (either fully or partially), you can add protection to identify and block malicious files.
If removable devices are fully or even partially allowed, you can add protection to identify and block malicious files.
### Enable Windows Defender Antivirus Scanning