Thursday, December 16, 2021

Block USB in Microsoft Defender for Endpoint and Intune

A common request from information security teams is the ability to block mass storage devices. As every security defender knows, you cannot draw a hard line and block EVERY USB mass storage device. Exceptions will always come up. In this blog article, I'll show you how to configure the ability to block mass storage devices with an allow list that you can maintain in Intune and Microsoft Defender for Endpoint.

 

First off, if you prefer watching video demos, here's a link to a fantastic video that shows you how to configure it. If you prefer to read a tutorial with screenshots, continue on!

 

The first thing you'll need to do is download (or create from scratch) some XML files that will be needed to configure your policies. You can go to the official Github to download samples or I published the XML files I'm using in my own Github. You'll also need a text editor to modify the XML files. I like to use Visual Studio Code or Notepad++.

 

You'll need 2 "group" XML files and 1 "policy" XML file. The first XML file we'll need is the Group XML that will specify the type of mass storage. This doesn't block anything but just specifies the "Primary ID." You can find the list of different primary ID's in the documentation. We'll want the Primary ID to be "RemoveableMediaDevices." You'll also need a unique GUID. To get one, you can use Powershell and run the command: [guid]::NewGuid(). That GUID will be entered into the "Group ID=" field between the {}. Save this file as an XML file with a name you'll remember (i.e. AllUSBGroup)

 

ajawzero_0-1639696037572.png

 

ajawzero_1-1639696037573.png

 

Next, we'll modify the XML file for your approved USB list. Again, you'll need a unique GUID so generate one and write it in the file. For this list, we'll be using the InstancePathID. To get the UNIQUE InstancePATHID, plug in your USB and open up Device Manager. Your USB drive should appear under Disk Drives. Right click and open up Properties.

 

ajawzero_2-1639696089728.png       ajawzero_3-1639696089726.png

 

In the device properties, select the tab for Details and the dropdown menu for Device Instance Path. Right click it and copy.

 

ajawzero_4-1639696089724.png

 

Paste it in your text editor of choice. You can manually replace or do a "Find and Replace" of all '&' to '&' This is because you can't escape a '&' in XML. Do this for each USB you want to allow and paste it in the USB Allow XML file between the InstancePathID.

 

ajawzero_5-1639696159713.png

 

ajawzero_6-1639696159714.png

 

ajawzero_7-1639696159715.png

 

The final XML file you need is the Policy XML. You'll need the unique GUID's from the first two to paste into the correct areas. The Include Group is your USB Group and the Exclude Group is your Allowed USB Group. You'll also need to specify the correct flags to enforce. I'm not allowing audit so my deny type is 1 which shows a notification when the policy is triggered. My access mask is 6 which blocks write and execute. Here's a list of the flags in the documentation.

 

ajawzero_8-1639696159723.png

 

Once your XML flies are completed, we need to create the policies within Intune. For this, you'll need the OMA-URI strings. I have a text file for my OMA-URI strings on my Github. You'll need the Group ID's from your XML files and paste those in between '%7b' and '%7d'. More details on the OMA-URI strings are on the official documentation as well.

 

ajawzero_9-1639696159717.png

 

Now we move to Endpoint Manager to create the policies. Open up Microsoft Endpoint Manager (MEM) and create a new Windows Configuration Profile. It should be a Custom Template.

 

ajawzero_10-1639696159726.png

 

Name the Profile and hit next:

 

ajawzero_11-1639696159719.png

 

Add a new Row with something similar to below:

 

Name: AllUSBGroup

Description: Group for All Removeable Devices

OMA-URI: *Copy the string from the text file for your USB Group*

Data Type: String (XML) - *Upload your USB Group XML*

 

ajawzero_12-1639696159720.png

 

Add a 2nd row and repeat the process for the Allowed USB XML. Do not create a separate configuration profile. Keep all the OMA-URI settings in one profile. Add a 3rd row and repeat for the Block USB Policy. Deploy it to a test group of devices first before pushing out to production.

 

ajawzero_13-1639696159721.png

 

Go to your device that you deployed the policy to and make sure that it syncs with Intune. It might take a couple of restarts. Review the configuration profile to ensure the policy has successfully deployed.

 

ajawzero_14-1639696159724.png

Now let's test the behavior on the device! When I insert a USB that is not on the allowed list, I get this message:

 

ajawzero_15-1639696382879.png    ajawzero_16-1639696382876.png

 

When I try to execute Autoruns on the USB, it gives me an error.

ajawzero_17-1639696382877.png

 

However, when I put a USB in that is on the allowed list, I'm able to write to the USB without issues.

 

ajawzero_18-1639696382878.png

 

You can also search for USB events in Microsoft Defender for Endpoint. Here's an example of a query you can use.

 

ajawzero_19-1639696432438.png

 

If you get additional USB's that you need to allow, edit your XML file. There are also ways to allow an entire manufacturer as well but deleting the unique USB ID from the end of the instance ID. Hopefully this helps security defenders who are trying to block USB mass storage using Intune and Defender for Endpoint.

 

 

Posted at https://sl.advdat.com/3pW7B4I