deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits from jake Mowrer

Browse Source
This commit is contained in:
Justin Hall
2018-11-29 11:48:41 -08:00
parent 437718a550
commit f4ce766d07
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
ms.author: justinha
author: justinha
ms.date: 11/27/2018
ms.date: 11/30/2018
---
# How to control USB devices and other removable media using Intune
@ -56,15 +56,22 @@ Intune can help reduce threats from removable storage such as USB devices. The f
If removable devices are allowed on devices (either fully or partially), you can add protection to identify and block malicious files.
Enable Windows Defender Antivirus Scanning: Protecting authorized removeable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
### Enable Windows Defender Antivirus Scanning
Protecting authorized removeable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
If real-time protection is enabled, files are scanned before they are accessed and executed.
The scanning scope includes all files, including those on mounted removable devices such as USB drives.
You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
Enable EG-ASR “Block untrusted and unsigned processes that run from USB”:End-users might plug in removable devices that are infected with malware.
In order to prevent infections, a company can block files from usb devices which are not signed or are untrusted. Alternatively, companies can leverage the audit feature of ASR to monitor the USB activity of untrusted and unsigned processes that execute on a USB device. This can be done through the EG-ASR “Block untrusted and unsigned processes that run from USB” Rule.
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
### Enable Block untrusted and unsigned processes that run from USB attack surface reduction rule
End-users might plug in removable devices that are infected with malware.
In order to prevent infections, a company can block files from usb devices which are not signed or are untrusted.
Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the USB activity of untrusted and unsigned processes that execute on a USB device.
This can be done by using the **Block untrusted and unsigned processes that run from USB** rule.
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Blocked file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).