Block Read and Write access to specific file _Policy.md

Device control policy sample: Block Read and Write access to specific file _Policy

Description: This is a policy.
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name	Devices		Rule Type	Access						Notification	Conditions
	Included	Excluded		Disk Read	Disk Write	Disk Execute	File Read	File Write	File Execute
Block Read and Write access to specific file	Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)		Deny	-	-	-	❌	-	❌	None (0)	View MatchAll: Windows File: MatchAny Group: Block Read and Write access to specific file _Groups_2 (details)
	Audit Denied		📄	📄	📄	📄	📄	📄	Show notification and Send event (3)	-

Groups

Any Removable Storage and CD-DVD and WPD Group_1

This is a group of type Device. The match type for the group is MatchAny.

Property	Value
PrimaryId	RemovableMediaDevices
PrimaryId	CdRomDevices
PrimaryId	WpdDevices

View XML

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

Block Read and Write access to specific file _Groups_2

This is a group of type File. The match type for the group is MatchAny.

Property	Value
PathId	*.exe
PathId	*.dll

View XML

<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData -->
	<Name>Block Read and Write access to specific file _Groups_2</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PathId>*.exe</PathId>
		<PathId>*.dll</PathId>
	</DescriptorIdList>
</Group>

Settings

Setting Name	Setting Value	Description	Documentation
DefaultEnforcement	Deny	Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.	documentation
DeviceControlEnabled	True	Enables/disables device control	documentation

Files

This policy is based on information in the following files:

• Group Policy/Block Read and Write access to specific file _Groups.xml
• Group Policy/Any Removable Storage and CD-DVD and WPD Group.xml
• Group Policy/Block Read and Write access to specific file _Policy.xml

Deployment Instructions

Device control policy rules and groups can be deployed through the following management tools:

Windows

• Intune UX
• Intune Custom Settings
• Group Policy (GPO)

Intune UX

Intune UX is not supported for this policy because:

• File Read (8) is an unsupported access mask
• File Execute (32) is an unsupported access mask
• File Write (16) is an unsupported access mask
• Windows File groups not supported.
• Parameters are not supported

Use Intune custom settings to deploy the policy instead.

Group Policy (GPO)

Define device control policy groups

1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
2. Save the XML below to a network share.

<Groups>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
	<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData -->
		<Name>Block Read and Write access to specific file _Groups_2</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PathId>*.exe</PathId>
			<PathId>*.dll</PathId>
		</DescriptorIdList>
	</Group>
</Groups>

3. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.

Define device control policy rules

1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
2. Save the XML below to a network share.

<PolicyRules>
	<PolicyRule Id="{5038638c-9352-47bb-88df-8a659f0c02a7}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B5038638c-9352-47bb-88df-8a659f0c02a7%7D/RuleData -->
		<Name>Block Read and Write access to specific file</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}">
			<Type>Deny</Type>
			<AccessMask>40</AccessMask>
			<Options>0</Options>
			<Parameters MatchType="MatchAll">
				<File MatchType="MatchAny">
					<GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30f}</GroupId>
				</File>
			</Parameters>
		</Entry>
		<Entry Id="{2925ecd8-40dc-42bb-a972-da0de839dd4f}">
			<Type>AuditDenied</Type>
			<AccessMask>63</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>

3. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

Intune Custom Settings

Create custom intune configuration

1. Navigate to Devices > Configuration profiles
2. Click Create (New Policy)
3. Select Platform "Windows 10 and Later"
4. Select Profile "Templates"
5. Select Template Name "Custom"
6. Click "Create"
7. Under Name, enter **
8. Optionally, enter a description
9. Click "Next"

Add a row for Block Read and Write access to specific file

1. Click "Add"

2. For Name, enter Block Read and Write access to specific file

3. For Description, enter **

4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B5038638c-9352-47bb-88df-8a659f0c02a7%7D/RuleData

5. For Data type, select String (XML File)

6. For Custom XML, select windows/device/Intune OMA-URI/block_read_and_write_access_to_specific_file{5038638c-9352-47bb-88df-8a659f0c02a7}.xml

7. Click "Save"

Add a row for Any Removable Storage and CD-DVD and WPD Group_0

1. Click "Add"

2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

3. For Description, enter **

4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

5. For Data type, select String (XML File)

6. For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml

7. Click "Save"

Add a row for Unauthorized File Group_0

1. Click "Add"

2. For Name, enter Unauthorized File Group_0

3. For Description, enter **

4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5f619a7-5c58-4927-90cd-75da2348a30f%7D/GroupData

5. For Data type, select String (XML File)

6. For Custom XML, select windows/device/Intune OMA-URI/Unauthorized File Group.xml

7. Click "Save"

Add a row for DefaultEnforcement

1. Click "Add"

2. For Name, enter DefaultEnforcement

3. For Description, enter **

4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

5. For Data type, select Integer

6. For Value, enter 2

7. Click "Save"

Add a row for DeviceControlEnabled

1. Click "Add"

2. For Name, enter DeviceControlEnabled

3. For Description, enter **

4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

5. For Data type, select Integer

6. For Value, enter 1

7. Click "Save"