From b70fb019bf5577b84f73d75b866132cce315b9ef Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 17 Dec 2018 10:43:37 -0800 Subject: [PATCH 1/2] feedback from Aacer --- .../device-control/control-usb-devices-using-intune.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index a2938cdf3c..977c81eee7 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium ms.author: justinha author: justinha -ms.date: 12/15/2018 +ms.date: 12/18/2018 --- # How to control USB devices and other removable media using Windows Defender ATP @@ -92,7 +92,9 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or 1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. - Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for devices that don't support device memory isolation (also known as DMA-remapping). These devices can be blocked, allowed, or allowed only after the user signs in (default). Devices that do support device memory isolation can always connect. + Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). 2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: From 529cc260e13ba21bb32d58d562bfe11e93fa1691 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 17 Dec 2018 10:54:45 -0800 Subject: [PATCH 2/2] revisec respond heading based on feedback from Anch --- .../device-control/control-usb-devices-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 977c81eee7..25884a9bd3 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -25,7 +25,7 @@ Windows Defender ATP provides multiple monitoring and control features for USB p 2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). -3. [Respond to additional peripherals](#respond-to-additional-peripherals) in real-time based on properties reported by each peripheral: +3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. @@ -108,7 +108,7 @@ You can view plug and play connected events in Windows Defender ATP advanced hun For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). -## Respond to additional peripherals +## Respond to threats Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.