From 7a85e013fe467dcef061321036f4d5f4f1e0a1e1 Mon Sep 17 00:00:00 2001 From: Jody Cedola Date: Tue, 27 Nov 2018 20:28:21 +0000 Subject: [PATCH] Updated control-usb-devices-using-intune.md --- .../control-usb-devices-using-intune.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 3c392684ba..4bdf28f5fc 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -21,11 +21,6 @@ You can configure Intune settings to reduce threats from removable storage such - [Block prohibited removeable storage](#block-prohibited-removable-storage) - [Protect authorized removable storage](#protect-authorized-removable-storage) - Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). - We recommend enabling real-time protection for improved scanning performance, especially for large storage devices. - If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. - You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. - > [!NOTE] > These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removeable disks. @@ -98,6 +93,12 @@ For example, a multi-function device, such as an all-in-one scanner/fax/printer, ## Protect authorized removable storage + Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + We recommend enabling real-time protection for improved scanning performance, especially for large storage devices. + If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. + You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted. + + These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).