Home About Contact
Home About Contact Latest Articles Close

Block USB Devices Using Microsoft Intune and Defender for Endpoint

Author: Eitan Talmi

3 min read · Apr 10, 2024

USB devices are attractive targets for cybercriminals, as they can be used to steal data, gain access to systems, and monitor users. Organizations often need to allow USB devices for tasks like copying data or installing software. In such cases, Microsoft Intune can be used to approve specific USB devices.

Prepare the Policy Files

1. Create a file named Other_USB.xml

Paste the following into the file:

<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a4345}">
        <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a4345%7d/GroupData -->
        <MatchType>MatchAny</MatchType>
        <DescriptorIdList>
            <PrimaryId>RemovableMediaDevices</PrimaryId>
        </DescriptorIdList>
    </Group>

2. Open PowerShell

Run the command new-guid and replace the GUID in the file with the string you got. Place it between the %7b and the %7d.

3. Create a file named Approved_USB.xml

Paste the following into the file:

<Group Id="{aaa512fa-275f-40e2-a39c-b92c08b3e352}">
        <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7baaa512fa-275f-40e2-a39c-b92c08b3e352%7d/GroupData -->
        <MatchType>MatchAny</MatchType>
        <DescriptorIdList>
            <GroupId>{4d36e978-e325-11ce-bfc1-08002be10318}</GroupId> <!--All Console Cables-->
            <SerialNumberId>20042211921a3FD2E753</SerialNumberId>
            <InstancePathId>USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003530480520232521&*</InstancePathId>
        </DescriptorIdList>
    </Group>

4. Open PowerShell

Run the command new-guid and replace the GUID in the file with the string you got. Place it between the %7b and the %7d.

5. Add Approved USB Devices

Under the DescriptorIdList, you can add more approved USB devices following the examples provided. Ensure to add ampersands (&) as needed in the device ID string.

6. Create a file named Devices_Policy.xml

Paste the following into the file:

<PolicyRule Id="{c544a991-5786-2819-949e-a032cb790d0e}">
        <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-2819-949e-a032cb790d0e%7d/RuleData -->
        <Name>Block Write and Execute Access but allow approved USBs</Name>
        <IncludedIdList>
            <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a4345}</GroupId>
        </IncludedIdList>
        <ExcludedIdList>
            <GroupId>{aaa512fa-275f-40e2-a39c-b92c08b3e352}</GroupId>
        </ExcludedIdList>
        <!-- Block read, write and execute -->
        <Entry Id="{f8ddbbc5-8855-4776-a9f4-ee58c3a21414}">
            <Type>Deny</Type>
            <Options>0</Options>
            <AccessMask>15</AccessMask>
        </Entry>
        <!-- Audit denied USB devices notify the user-->
        <Entry Id="{7c518c86-38e5-40a9-86ee-e9f79f136817}">
            <Type>AuditDenied</Type>
            <Options>3</Options>
            <AccessMask>15</AccessMask>
        </Entry>
        <!-- Audit approved USB devices-->
        <Entry Id="{40617182-628e-46c4-9fca-ee1c027ac275}">
            <Type>AuditAllowed</Type>
            <Options>2</Options>
            <AccessMask>15</AccessMask>
        </Entry>
    </PolicyRule>

7. Open PowerShell

Run the command new-guid and replace the PolicyRule ID in the file with the string you got. Place it between the %7b and the %7d. Also generate and replace the Entry ID.

Build the Policy in Intune

  1. Log in to the Intune portal: https://intune.microsoft.com/
  2. Click on Devices → Configuration
  3. Click on Create → New Policy
  4. On the Platform, choose Windows 10 and later
  5. On the Profile type, choose Templates
  6. From the Template name, choose Custom and click on Create
  7. Give it a name and click on Next
  8. Click on Add
  9. In the Name type Any Removable
  10. In the description type Group
  11. In the OMA-URI, copy the second line from the Other_USB.xml file without the remark signs.
  12. In the Data Type, choose String (XML file) and select the Other_USB.xml file
  13. Click on Save
  14. Repeat steps for Approved_USB.xml and Devices_Policy.xml
  15. Add tags (optional)
  16. On the assignments, add a group, it could be users or devices but not mixed.
  17. Configure Applicability Rules if needed (optional)
  18. Click on Create

KQL Script to Get Reports

  1. Go to https://security.microsoft.com/
  2. Click on Hunting → Advanced hunting
  3. Click on the plus sign and choose Query in editor
  4. Paste the following code into the query editor:
DeviceEvents
    | where ActionType == "RemovableStoragePolicyTriggered"
    | extend parsed=parse_json(AdditionalFields)
    | extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
    | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
    | extend MediaBusType = tostring(parsed.BusType)
    | extend MediaClassGuid = tostring(parsed.ClassGuid)
    | extend MediaClassName = tostring(parsed.ClassName)
    | extend MediaDeviceId = tostring(parsed.DeviceId)
    | extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
    | extend MediaName = tostring(parsed.MediaName)
    | extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
    | extend MediaProductId = tostring(parsed.ProductId)
    | extend MediaVendorId = tostring(parsed.VendorId)
    | extend MediaSerialNumber = tostring(parsed.SerialNumber)
    | project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize
    | where RemovableStoragePolicy == "Block Write and Execute Access but allow approved USBs"
    | order by Timestamp desc
  1. Click on Run query