deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
f6663f48e756be6983db392fd706b8fd5cebbf2f
windows-itpro-docs/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
Justin Hall 0ad60b0def typo
2018-11-14 12:31:01 -08:00

4.3 KiB
Raw Blame History

title, description, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, ms.author, author, ms.date
title description ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority ms.author author ms.date
How to control USB devices and other removable media using Intune (Windows 10) You can configure Intune settings to reduce threats from removable storage such as USB devices. w10 deploy library security medium justinha justinha 11/15/2018

How to control USB devices and other removable media using Intune

Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP)

You can configure Intune settings to reduce threats from removable storage such as USB devices, including:

Protecting allowed removeable storage requires enabling real-time protection. We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally run a PowerShell script to perform a custom scan of a USB drive after it is mounted.

Note

These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a personal device.

Block unwanted removeable storage

  1. Sign in to the Microsoft Azure portal.

  2. Click Intune > Device configuration > Profiles > Create profile.

    Create device configuration profile

  3. Use the following settings:

    • Name: Windows 10 Device Configuration
    • Description: Block removeable storage and USB connections
    • Platform: Windows 10 and later
    • Profile type: Device restrictions

    Create profile

  4. Click Configure > General.

  5. For Removable storage and USB connection (mobile only), choose Block.

    General settings

  6. Click OK to close General settings and Device restrictions.

  7. Click Create to save the profile.

Alternatively, you can create a custom profile in Intune and configure DeviceInstallation policies.

Protect allowed removable storage

These settings require enabling real-time protection.

  1. Sign in to the Microsoft Azure portal.

  2. Click Intune > Device configuration > Profiles > Create profile.

    Create device configuration profile

  3. Use the following settings:

    • Name: Type a name for the profile
    • Description: Type a description
    • Platform: Windows 10 or later
    • Profile type: Endpoint protection

    Create enpoint protection profile

  4. Click Configure > Windows Defender Exploit Guard > Attack Surface Reduction.

  5. For Unsigned and untrusted processes that run from USB, choose Block.

    Block untrusted processes

  6. Click OK to close Attack Surface Reduction, Windows Defender Exploit Guard, and Endpoint protection.

  7. Click Create to save the profile.