From 7433129a709a95f6b7643ff5bc1ef6731debc09c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 3 Dec 2018 17:32:58 -0800 Subject: [PATCH] added pilot statement --- .../device-control/control-usb-devices-using-intune.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 88435a389e..6a5c24fb12 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,14 +8,14 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: justinha author: justinha -ms.date: 12/01/2018 +ms.date: 12/04/2018 --- # How to control USB devices and other removable media using Intune **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Intune can help reduce threats from removable storage such as USB devices. The following table describes different scenarios for controlling installation and usage of removeable storage and other devices. +Intune can help reduce threats from removable storage such as USB devices. The following table describes different scenarios for controlling installation and usage of removeable storage and other devices. | Control | Description | |----------|-------------| @@ -23,6 +23,8 @@ Intune can help reduce threats from removable storage such as USB devices. The f | [Allow installation of specific device IDs and setup classes](#allow-installation-of-specific-device-ids-and-setup-classes) | Users can install most devices but not a list of prohibited devices. | | [Protect authorized removeable storage devices](#protect-authorized-removable-storage) | Identify and block malicious files on authorized removeable storage devices. | +To make sure removeable storage is blocked or allowed as expected, we recommend trying these settings with a pilot group of users and devices, and refining the settings as needed before applying them in production. + > [!NOTE] > These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removeable disks.