Login

u/I-am-TeX

▲ 3 r/Intune

Device Control policy - Block ALL USB data storage devices + whitelist selected

Hi all,

I am fighting for a long time with configuration of Device Control policy and I was close to give up, but then I remember that I have You - last hope of humanity.

Use case:

- I want to block ALL USB data storage devices (Pendrives, External drives, SD/CF cards etc.)

- I don't want to block: USB Cameras, Optical drives DVD/CD, HID devices (keybord, mice) etc.

- I want to have possibility to whitelist USB devices (dongle keys, some specific Pendrives)

What I have configured:

- I have configured Endpoint Security > ASR > Device Control policy and name it "wdasr-tst-comp-corp-DC-global"

- I have assigned to it my test device which is in group named: "sga-tst-comp-freddyautopilotonly-global"

What is already working:

- blockade of ALL USB data storage devices (pendrive, disk drives etc.)

- rest of the devices are unblocked (cameras, HID devices, optical drives etc.)

What is not working:

- whitelisting USB devices (not fully working, only partly). For example I could whitelist CF Card using Serial Number but I cannot whitelist PNY 16GB pendrive... Reusable setting which are used for these devices: "ALLOWED - USB Sticks": CF Card, USB16GB. USB16GB is not working when i use SerialNumber of it or DeviceId.

Device control policy configuration:

Defender:

Device Control: ENABLED

Device Control:

Name: BLOCK USB MASS STORAGE

  • Included devices: "USB Mass storage devices", Access: Type: DENY, Options: None, Access Mask: Read, Write, Execute.

Name: ALLOWED USB DEVICES

  • Included devices: "ALLOWED - USB Sticks", Access: Type: ALLOW, Options: None, Access Mask: Read, Write, Execute.

Reusable settings:

  1. Setting group name: "USB Mass storage devices": Name: RemovableMediaDevices, PrimaryId: RemovableMediaDevices.
  2. Setting group name: "ALLOWED - USB Sticks":
    1. Name: CF Card, Type: removable storage, SerialnumberId: 058F63666479.
    2. Name: USB16GB, Type: removable storage, SerialnumberId: FC8E9096.

Quick summary:

When i try to whitelist USB16GB with Serial number FC8E9096 or deviceId it doesn't work. Always it is blocked.

CF Card has no problem - I can easly whitelist it.

Below I will paste information from Device Manager about my USB Stick/Pendrive that i want to whitelist.

>
Device USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\FC8E9096&0 was configured.
Driver Name: disk.inf
Driver Package ID: disk.inf_amd64_3e3ac488fc4fdb54
Class GUID: {4d36e967-e325-11ce-bfc1-08002be10318}
Driver Date: 06/21/2006
Driver Version: 10.0.26100.5074
Driver Provider: Microsoft
Driver Section: disk_install.NT
Driver Rank: 0xFF0006
Matching Device ID: GenDisk
Outranked Drivers: disk.inf:GenDisk:00FF2002
Device Updated: false
Parent Device: USB\VID_058F&PID_6387\FC8E9096

I would be really glad if someone would help me adjusting existing configuration or providing new working solution.

Thank you in advance for help.

reddit.com
u/I-am-TeX — 23 hours ago