deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added link to storage csp

Browse Source
This commit is contained in:
Justin Hall 2018-11-27 09:46:34 -08:00
parent 1e7fbf95b6
commit eb7219490a
1 changed files with 8 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
ms.author: justinha
author: justinha
ms.date: 11/26/2018
ms.date: 11/27/2018
---
# How to control USB devices and other removable media using Intune
@ -27,7 +27,7 @@ If real-time protection is enabled, files are scanned before they are accessed a
You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
> [!NOTE]
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removeable disks.
## Controlling device installation and usage
@ -76,16 +76,11 @@ Windows uses two types of identifiers to control device installation and configu
- Device setup classes
#### Device identification strings
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of [device identification strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file that is part o
f the device driver package. Windows chooses which device driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
There are two types of device identification strings: hardware IDs and compatible IDs.
Windows can use each string to match a device to a driver package. The strings range from the very specific, matching a single make and model of a device, to the very general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
##### Hardware IDs
Hardware IDs are the identifiers that provide the most exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device, if the driver for the correct revision is not available.
##### Compatible IDs
Windows uses these identifiers to select a device driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
Windows uses compatible IDs to select a device driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank.