I guess it’s time for the sixth part of the Endpoint Security Series. This time I will walk you through what Microsoft Defender Device Control is, how to configure it in Intune and how it works.

I will divide this blog into 8 parts 

  1. Information about device control.
  2. Configuring Device Control in Intune
  3. Results of Blocking Specific Hardware
  4. Results of preventing Write Access Removable Storage
  5. Deploy printer protection on Windows
  6. Digger deeper
  7. Logging
  8. Removing/Changing the policy
  9. Conclusion

1.Information about device control 

Microsoft Defender for Endpoints has a really cool feature to protect devices against data loss. This feature will provide you with a layered approach to secure removable hardware like external hard drives. Of course, this feature there couldn’t be any other name than Windows Defender Device Control.

When making use of Device Control you could make sure there is no possibility for users to install specific hardware on the devices or make sure removable storage can’t be used! 

2.Configuring Device Control in Intune 

Like always, open Intune and Click on Endpoint Security –> Attack Surface Reduction to start creating a new policy.

I am going to split this first one up. Because the first part is sometimes difficult to understand and configure.  The second part about allowing removable storage, sort of speaks for itself. 

1.Allowing / Blocking Hardware

 

These settings allow you to create allow lists or deny lists based on hardware IDs, or specific device GUID allows lists (and deny lists). It allows us to secure the environment based on specific hardware allowed to connect. 

When you configure a block policy it will apply on the device, so even if your end-users are configured as local administrators it will be blocked.

Block / Allow Hardware Device installation by device identifiers 

Specific Hardware IDs you configure in this policy are forbidden and blocked from being installed. 

PLEASE NOTE: The device ID isn’t the PnP ID but the Hardware ID 

*How to find the Device/Hardware Id with the device manager 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

*How to find the Device/Hardware Id with PowerShell? 

Get-WmiObject Win32_PNPEntity | select name,hardwareid | sort-object hardwareid | Get-Unique -asstring  |fl 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Block/ Allow  Hardware device installation by setup classes: 

Device GUIDs entered here are disallowed from installing. Prevent policies have higher priority over allowed policies. If a device class GUID is configured for both allow and disallow policies, then the devices will not be allowed to install. 

*How to find the Class GUID with the device manager 

While I was looking at the device Class GUIDS  I realised I also did a blog on this topic some time ago. The blog will show you how to allow normal users, installing printer drivers on their own.

*How to find the Class GUID with PowerShell? 

Get-WmiObject Win32_PNPEntity | select name,classguid | sort-object classguid | Get-Unique -asstring  |fl 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Block/ Allow  Hardware device installation by  device instance identifiers: 

A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. The Plug and Play manager assigns a device instance ID to each device node  in a system’s device tree

*How to find the Device instance ID with the Device Manager 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

*How to find the Device instance ID with PowerShell? 

Get-WmiObject Win32_PNPEntity | select name,deviceid | sort-object deviceeid | Get-Unique -asstring  |fl 

2. Configuring USB storage media and Bluetooth  

This one is more clear than blocking or allowing the installation of hardware. Let’s take a look at some of the policies. 

All of these settings above allows us to control what devices to allow to connect to our computers. In the sample above, I am making sure people can still use Removable Storage but I am preventing write access. Setting up a policy like this will make sure, your Company data can’t be copied to a USB stick. 

I am also allowing to use Bluetooth, but just like the removable storage, I am restricting the use of it. 

3.Results of Blocking specific hardware! 

When we have configured an Endpoint Security device control policy to start blocking hardware device installation by device identifier, we need to know what happens to the client. 

First, let’s open the device manager, we will notice the hardware couldn’t be installed. 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Error Code 1:  The installation of this device is blocked by a system policy 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

You will also get a nice toast message with the same message above. 

And of course, the removable storage device in this example is not accessible!

4.Results of preventing Write Access Removable Storage  

Now we have seen what happens when you totally blocked all access to the removable storage, let’s see what happens when you have blocked the possibility to write data to removable storage. 

The only way how you could test it, just to attach a USB removable storage device and try to create a folder or try to copy some data to it. You will be prompted with this error:  ACCESS DENIED!

5. Deploy printer protection on Windows (UPDATE 20-07-2021)

Today a new method for printer protection was released. When talking about Device Control, controlling which printer may be used for printing is great!

Please make sure you have the correct license applied!

  • Microsoft 365 E3 for functionality/policy deployment
  • Microsoft 365 E5 for reporting

The new printer protection feature allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This adds an additional layer of security and data protection for work from home and remote work scenarios.

So how do we configure this?

Before we start we need to make some hard choices, are you going to deploy it to the machine or user context? Now we made a choice, create two CSP’s and configure the values as I show below

MACHINE CONTEXT

*Block printing from non approved printers

OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
Value:<enabled/>

*Define the approved USB printers

OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
Value: <enabled/><data id=”ApprovedUsbPrintDevices_List” value=”03F0/8117,03F0/8217″/>

USER CONTEXT

*Block printing from non approved printers

OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser
Value:<enabled/>

*Define the approved USB printers

OMA-URI: ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser

Value: <enabled/><data id=”ApprovedUsbPrintDevices_List” value=”03F0/8117,03F0/8217″/>

Wondering where the 03f0/8117 stands for? The VID/PID. You could open the device manager to get them?

When you don’t want to take a look in the device manager to find them, please visit this Device Hunt website

USBVID_03F0 – HP, Inc | Device Hunt

And of course, the results when you just plugged in your private USB printing device and want to print something. You will notice the print job will be sent to the spooler but also immediately removed!

Open the event log and open the Print Service event log

When looking and translating the nice dutch text: It will be blocked because of some printer restrictions. The USB printer is not on the list of allowed devices!

6.Digger deeper 

When you want to monitor if the restrictions are configured on the device itself, its best to just open the local registry and open this key 

You will notice all the settings you configured in Intune are deployed to these registry keys 

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsDeviceInstall 

When looking at this key,  you will notice that there is a difference between blocking Hardware ID’s 

And when you are blocking Device Instance ID’s 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

But how do these keys end up in here? Just like all settings in Intune, A CSP is responsible for it. SO let’s take a look at which one. Open this registry key to start digging. 

HKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagercurrentdevice 

Do you notice the ADMXInstanceData key? Let’s open that one now. 

It has the same json content in it configured which you would do with a CSP. 

OMA-URI:./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs 
DataType:String 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

7. Logging  

Here comes the discussion…. Are we going to block removable storage/limit the use of removable storage or just allow it? 

For each choose you make, you will need to make sure you don’t set and forget. You really need to know when someone is trying to attach a new removable storage device. 

But what to do, when you are not blocking removable storage? Of course, you want to make sure you are logging all of those events. How are we going to make sure we are notified when someone successfully copied a file? MCAS! This is the way! 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Like always, I have done a blog about this subject some time ago. Go out and read it if you are interested!

8.Removing/ Changing the policy 

Removing the whole policy or remove the assignment in Intune will also make sure the settings are removed from the device!  

But beware if you are changing an existing policy and you only remove the Hardware ID’s like below it will not remove the settings from the client 

Afbeelding met tekst  Automatisch gegenereerde beschrijving

You will need to change the: Block hardware device installation by device identifiers to: not configured 

And within a few minutes after syncing the device in Intune the whole register DenyDevicesIDS key is deleted 

Conclusion 

It really depends on the organization you are working for if you need to limit or block or allow and log these types of actions. It’s a good thing Microsoft has all the options available for us to start dancing and do our job!  

Top 30 Constant Sorrow GIFs | Find the best GIF on Gfycat

If you want to read the previous Endpoint Security blogs:

Endpoint Security Series – Call4Cloud

And if you are not interested in the endpoint security blogs I still got some other blogs for you!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.