5/26/2023 0 Comments Free usb block sft![]() ![]() ![]() Open up Microsoft Endpoint Manager (MEM) and create a new Windows Configuration Profile. Now we move to Endpoint Manager to create the policies. More details on the OMA-URI strings are on the official documentation as well. You'll need the Group ID's from your XML files and paste those in between '%7b' and '%7d'. I have a text file for my OMA-URI strings on my Github. For this, you'll need the OMA-URI strings. Once your XML flies are completed, we need to create the policies within Intune. Here's a list of the flags in the documentation. My access mask is 6 which blocks write and execute. I'm not allowing audit so my deny type is 1 which shows a notification when the policy is triggered. You'll also need to specify the correct flags to enforce. The Include Group is your USB Group and the Exclude Group is your Allowed USB Group. You'll need the unique GUID's from the first two to paste into the correct areas. The final XML file you need is the Policy XML. Do this for each USB you want to allow and paste it in the USB Allow XML file between the InstancePathID. You can manually replace or do a "Find and Replace" of all '&' to '&' This is because you can't escape a '&' in XML. In the device properties, select the tab for Details and the dropdown menu for Device Instance Path. Your USB drive should appear under Disk Drives. To get the UNIQUE InstancePATHID, plug in your USB and open up Device Manager. For this list, we'll be using the InstancePathID. Again, you'll need a unique GUID so generate one and write it in the file. Next, we'll modify the XML file for your approved USB list. Save this file as an XML file with a name you'll remember (i.e. That GUID will be entered into the "Group ID=" field between the. To get one, you can use Powershell and run the command: ::NewGuid(). We'll want the Primary ID to be "RemovableMediaDevices." You'll also need a unique GUID. This doesn't block anything but just specifies the "Primary ID." You can find the list of different primary ID's in the documentation. The first XML file we'll need is the Group XML that will specify the type of mass storage. You'll need 2 "group" XML files and 1 "policy" XML file. I like to use Visual Studio Code or Notepad++. You'll also need a text editor to modify the XML files. You can go to the official Github to download samples or I published the XML files I'm using in my own Github. The first thing you'll need to do is download (or create from scratch) some XML files that will be needed to configure your policies. If you prefer to read a tutorial with screenshots, continue on! In this blog article, I'll show you how to configure the ability to block mass storage devices with an allow list that you can maintain in Intune and Microsoft Defender for Endpoint.įirst off, if you prefer watching video demos, here's a link to a fantastic video that shows you how to configure it. As every security defender knows, you cannot draw a hard line and block EVERY USB mass storage device. A common request from information security teams is the ability to block mass storage devices. ![]()
0 Comments
Leave a Reply. |