The USB Security Challenge

Security Threats

USB devices are attractive targets for cybercriminals, as they can be used to steal data, gain access to systems, and monitor users. The challenge lies in balancing security with legitimate business needs.

The Balance Challenge

Organizations often need to allow USB devices for legitimate tasks like copying data or installing software. In such cases, Microsoft Intune can be used to approve specific USB devices while maintaining strict security controls.

Our Solution

This guide demonstrates how to implement a selective USB device control policy that blocks unauthorized devices while allowing pre-approved ones, complete with comprehensive monitoring and reporting capabilities.

Prepare the Policy Files

1. Create Other_USB.xml

This file defines the group for all removable media devices:

Other_USB.xml 
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a4345}">
    <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a4345%7d/GroupData -->
    <MatchType>MatchAny</MatchType>
    <DescriptorIdList>
        <PrimaryId>RemovableMediaDevices</PrimaryId>
    </DescriptorIdList>
</Group>

PowerShell Step: Open PowerShell, run new-guid and replace the GUID in the file. Place it between the %7b and the %7d.

2. Create Approved_USB.xml

This file defines the approved USB devices that should be allowed:

Approved_USB.xml 
<Group Id="{aaa512fa-275f-40e2-a39c-b92c08b3e352}">
    <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7baaa512fa-275f-40e2-a39c-b92c08b3e352%7d/GroupData -->
    <MatchType>MatchAny</MatchType>
    <DescriptorIdList>
        <GroupId>{4d36e978-e325-11ce-bfc1-08002be10318}</GroupId> <!--All Console Cables-->
        <SerialNumberId>20042211921a3FD2E753</SerialNumberId>
        <InstancePathId>USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\03003530480520232521&*</InstancePathId>
    </DescriptorIdList>
</Group>

Configuration Steps:

  1. Run new-guid in PowerShell and replace the GUID
  2. Add more approved USB devices under DescriptorIdList following the examples
  3. Ensure to add ampersands (&) as needed in device ID strings

3. Create Devices_Policy.xml

This file defines the policy rules for blocking and allowing USB devices:

Devices_Policy.xml 
<PolicyRule Id="{c544a991-5786-2819-949e-a032cb790d0e}">
    <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-2819-949e-a032cb790d0e%7d/RuleData -->
    <Name>Block Write and Execute Access but allow approved USBs</Name>
    <IncludedIdList>
        <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a4345}</GroupId>
    </IncludedIdList>
    <ExcludedIdList>
        <GroupId>{aaa512fa-275f-40e2-a39c-b92c08b3e352}</GroupId>
    </ExcludedIdList>
    <!-- Block read, write and execute -->
    <Entry Id="{f8ddbbc5-8855-4776-a9f4-ee58c3a21414}">
        <Type>Deny</Type>
        <Options>0</Options>
        <AccessMask>15</AccessMask>
    </Entry>
    <!-- Audit denied USB devices notify the user-->
    <Entry Id="{7c518c86-38e5-40a9-86ee-e9f79f136817}">
        <Type>AuditDenied</Type>
        <Options>3</Options>
        <AccessMask>15</AccessMask>
    </Entry>
    <!-- Audit approved USB devices-->
    <Entry Id="{40617182-628e-46c4-9fca-ee1c027ac275}">
        <Type>AuditAllowed</Type>
        <Options>2</Options>
        <AccessMask>15</AccessMask>
    </Entry>
</PolicyRule>

GUID Generation: Run new-guid and replace both the PolicyRule ID and Entry IDs with new GUIDs. Place them between %7b and %7d.

Build the Policy in Intune

Policy Creation Steps

  1. 1 Log in to the Intune portal
  2. 2 Navigate to Devices → Configuration
  3. 3 Click Create → New Policy
  4. 4
    Configure policy settings:
    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template: Custom
  5. 5 Give it a name and click Next

Configure Each Policy Component

Component 1: Any Removable

Name: Any Removable
Description: Group
Data Type: String (XML file)
File: Other_USB.xml
OMA-URI: Copy the second line from Other_USB.xml (without remark signs)

Component 2: Approved USB

Repeat the same process for Approved_USB.xml

Component 3: Device Policy

Repeat the same process for Devices_Policy.xml

Final Configuration Steps

  1. Tags: Add tags (optional)
  2. Assignments: Add a group (users or devices, but not mixed)
  3. Applicability Rules: Configure if needed (optional)
  4. Review: Verify all settings and click Create

KQL Script to Get Reports

Advanced Hunting Setup

  1. 1 Go to Microsoft 365 Defender portal
  2. 2 Navigate to Hunting → Advanced hunting
  3. 3 Click the plus sign and choose Query in editor
  4. 4 Paste the following KQL query:

KQL Query for USB Device Monitoring

KQL - USB Device Monitoring Query 
DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed=parse_json(AdditionalFields)
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaName = tostring(parsed.MediaName)
| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
| extend MediaProductId = tostring(parsed.ProductId)
| extend MediaVendorId = tostring(parsed.VendorId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize
| where RemovableStoragePolicy == "Block Write and Execute Access but allow approved USBs"
| order by Timestamp desc

Query Analysis Features

  • Device identification details
  • Access attempt logging
  • Policy verdict tracking
  • Serial number capture
  • Timestamp analysis
  • User activity correlation

Final Step: Click Run query to execute the advanced hunting query and view USB device activity reports.

Implementation Success

With this comprehensive USB device control policy, you've successfully implemented a zero-trust approach to removable media while maintaining business flexibility through selective approval mechanisms.

Security Enhanced

Unauthorized USB devices are completely blocked

Selective Access

Approved devices maintain full functionality

Full Visibility

Comprehensive monitoring and reporting

Author

Eitan Talmi

Cybersecurity Expert | Microsoft Defender & Intune Specialist

Specializing in enterprise security solutions, device control policies, and threat protection using Microsoft 365 Defender and Intune. Expert in implementing zero-trust security architectures.

Share this article

Related Articles

Disable SMBv2 for Enhanced Security

Proactive security measure to reduce attack surface with Microsoft Intune and PowerShell automation.

BitLocker with Intune & Azure Key Vault

Comprehensive guide to implementing BitLocker encryption with centralized key management in Azure.