deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

clean/linted control usb devices

Browse Source
This commit is contained in:
martyav 2019-08-01 16:41:55 -04:00
parent d1fcdadae4
commit 76d4d57fa8
1 changed files with 75 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
View File

@ -22,7 +22,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
@ -35,7 +35,6 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
![Create device configuration profile]
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
## Prevent threats from removable storage
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
@ -107,10 +106,10 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
| Control | Description |
|----------|-------------|
| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
Control | Description
-|-
Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
@ -130,6 +129,7 @@ One way to approach allowing installation and usage of USB drives and other peri
> [!Note]
> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
>
> 1. Enable **prevent installation of devices not described by other policy settings** to all users.
> 2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
@ -144,9 +144,10 @@ If you want to restrict to certain devices, remove the device setup class of the
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
>For the typical format for the USB ID, please reference [Standard USB Identifiers](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
1. Enable **Prevent installation of devices that match any of these device IDs**.
@ -167,9 +168,6 @@ Using Intune, you can limited the services that can use Bluetooth through the
![Bluetooth](images/bluetooth.png)
## Detect plug and play connected events
You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
@ -186,11 +184,11 @@ Windows Defender ATP can prevent USB peripherals from being used on devices to h
The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
| Control | Description |
|----------|-------------|
| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
Control | Description
-|-
[Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage
[Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware
[Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware
> [!NOTE]
> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
@ -235,7 +233,6 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
## Related topics
- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
@ -244,6 +241,3 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)