Skip to content

Latest commit

 

History

History
377 lines (285 loc) · 12.8 KB

Scenario 2 GPO Policy - Audit Write and Execute access to all but block specific unapproved USBs.md

File metadata and controls

377 lines (285 loc) · 12.8 KB

Device control policy sample: Scenario 2

Description: This is a policy.
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Block Write and Execute access to all but block specific unapproved USBs
    		Deny - - - - None (0) -
    Audit Denied - 📄 📄 - - - Show notification and Send event (3) -
    Audit Write and Execute access to others
    • Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)
    		Audit Allowed - 📄 📄 - 📄 📄 Send event (2) -

    Groups

    Approved USBs Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    InstancePathId USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003324080520232521&0
    View XML 
    <Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
	<Name>Approved USBs Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
	</DescriptorIdList>
</Group>

    Any Removable Storage and CD-DVD and WPD Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    PrimaryId RemovableMediaDevices
    PrimaryId CdRomDevices
    PrimaryId WpdDevices
    View XML 
    <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

    Settings

    Setting Name Setting Value Description Documentation
    DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
    DeviceControlEnabled True Enables/disables device control documentation

    Files

    This policy is based on information in the following files:

    Deployment Instructions

    Device control policy rules and groups can be deployed through the following management tools:

    Windows

    Intune UX

    Intune UX is not supported for this policy because:

    • File Write (16) is an unsupported access mask
    • File Execute (32) is an unsupported access mask

    Use Intune custom settings to deploy the policy instead.

    Group Policy (GPO)

    Define device control policy groups
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
    2. Save the XML below to a network share.
    <Groups>
	<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData -->
		<Name>Approved USBs Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<InstancePathId>USBSTOR\DISK&amp;VEN__USB&amp;PROD__SANDISK_3.2GEN1&amp;REV_1.00\03003324080520232521&amp;0</InstancePathId>
		</DescriptorIdList>
	</Group>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>
    1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
    Define device control policy rules
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
    2. Save the XML below to a network share.
    <PolicyRules>
	<PolicyRule Id="{23b8e437-66ac-4b32-b3d7-24044637fc98}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B23b8e437-66ac-4b32-b3d7-24044637fc98%7D/RuleData -->
		<Name>Block Write and Execute access to all but block specific unapproved USBs</Name>
		<IncludedIdList>
			<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{5fbf7a77-0e50-456a-bb25-1b60e1b9b288}">
			<Type>Deny</Type>
			<AccessMask>6</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{e1caaa4e-7bd1-4812-bec0-5a5973cb88f4}">
			<Type>AuditDenied</Type>
			<AccessMask>6</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
	<PolicyRule Id="{b58ab853-9a6f-405c-a194-740e69422b48}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb58ab853-9a6f-405c-a194-740e69422b48%7D/RuleData -->
		<Name>Audit Write and Execute access to others</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
			<GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
		</ExcludedIdList>
		<Entry Id="{979701d8-584a-4f27-8b68-2ecca59ccabd}">
			<Type>AuditAllowed</Type>
			<AccessMask>54</AccessMask>
			<Options>2</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
    1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Intune Custom Settings

    Create custom intune configuration
    1. Navigate to Devices > Configuration profiles
    2. Click Create (New Policy)
    3. Select Platform "Windows 10 and Later"
    4. Select Profile "Templates"
    5. Select Template Name "Custom"
    6. Click "Create"
    7. Under Name, enter **
    8. Optionally, enter a description
    9. Click "Next"
    Add a row for Block Write and Execute access to all but block specific unapproved USBs

    1. Click "Add"

    2. For Name, enter Block Write and Execute access to all but block specific unapproved USBs

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7B23b8e437-66ac-4b32-b3d7-24044637fc98%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/block_write_and_execute_access_to_all_but_block_specific_unapproved_usbs{23b8e437-66ac-4b32-b3d7-24044637fc98}.xml

    7. Click "Save"

    Add a row for Audit Write and Execute access to others

    1. Click "Add"

    2. For Name, enter Audit Write and Execute access to others

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb58ab853-9a6f-405c-a194-740e69422b48%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/audit_write_and_execute_access_to_others{b58ab853-9a6f-405c-a194-740e69422b48}.xml

    7. Click "Save"

    Add a row for Approved USBs Group_0

    1. Click "Add"

    2. For Name, enter Approved USBs Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B65fa649a-a111-4912-9294-fb6337a25038%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Approved USBs Group.xml

    7. Click "Save"

    Add a row for Any Removable Storage and CD-DVD and WPD Group_0

    1. Click "Add"

    2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows/device/Intune OMA-URI/Any Removable Storage and CD-DVD and WPD Group.xml

    7. Click "Save"

    Add a row for DefaultEnforcement

    1. Click "Add"

    2. For Name, enter DefaultEnforcement

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

    5. For Data type, select Integer

    6. For Value, enter 2

    7. Click "Save"

    Add a row for DeviceControlEnabled

    1. Click "Add"

    2. For Name, enter DeviceControlEnabled

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"