Summary

This article is going to go over Device Control for USB and Printer blocking using Intune and local policy

Default Enforcement setting

By default, Microsoft Allows doesn't deny any Device Control features. You can create Block all Policy in Intune but then you would have to add exclusions to that same policy. To me, the easier way would be setting the default deny on the device and then just creating a policy that allows. You can set the default deny for an Intune managed device by configurating from the settings catalog.

1. Navigate to Devices > Windows > Configuration

2. Create a new Windows 10 and later policy with a profile type as settings catalog

3. Give the policy a name, for example "Default Enforcement"

4. Click on Add settings then search for "Default Enforcement". Once the search is done, check the "Default Enforcement" and on the left side select the radio button to turn the policy to Default Deny Enforcement.

5. Add any scope tags, assign to a test group, and create the policy.

To verify the policy has applied to the machine, you can try to plug in a USB drive and it should be blocked. You can also check the registry entry.

After you select a drive, you will see the device is not accessible.

The other piece that should be blocked is printing. If you try to print either to network, USB, or network printer the print job should be "sent" to the printer but Device Control will block the job from going to the printer. If you print to PDF, the file will be created but has a 0KB file size and if you open the file it will show an error.

Registry Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager

Allow policies for bulk items

There are several Primary Ids that can be used for the policies. These settings will allow bulk items like Cd/DVD Roms, Phones connected and mounted to the system, printersm etc. Below is the list of Primary Ids:

• RemovableMediaDevices
• CdRomDevices
• WpdDevices
• PrinterDevices

To create a policy with these we would first need to create the Reusable setting in Intune.

1. Navigate to Endpoint Security > Attack Surface Reduction > Reusable Settings

2. Click Add then give you setting a name
3. Click Add under configuration settings then select Printer or Removable Storage.

4. Click Configure settings and scroll down to PrimaryID. In this example, we will be allowing WpdDevices. Type in WpdDevices under PrimaryID and Name(name is not required to be this way but it helps to keep it simple).

5. Navigate back to Endpoint Security > Attack Surface Reduction > Policies, click Create policy. Select Windows as the platform and Profile Device Control.

6. Provide the policy with a name, I would suggest something easy to remember what it does at a glance like "WpdDevices allowed" or "Allow Phones".
7. Under Configuration Settings, scroll down to Device Control and click Add then click on Configure Instance.

7. With the Default deny in place we want to add an Allow type. Under the Access mask, you have options to limit what the user can do further. For this example, we will just allow read access. Save it at the bottom to complete this step.

8. Click on "+ Set reusable Settings" under Include ID. Click Add next to WpdDevices(or the name of the reusable setting you used in step 4. Don't forget to save this, you might have to scroll down a bit to see the same button.

9. Now give the setting a name, again I would keep it simple to easily identify later or for a colleague. For this example, I will be using just WpdDevices.

10. Click next and apply any scope tags you have defined. For assignments, I would HIGHLY encourage you to test this on a small test group, so you are not breaking production.
11. Review and create the policy. It should look something like this.

Testing and validation

Before

After

Allowing specific USB devices

Gathering data

From what I have experience with customers and the third-party products they use there are two main ways to allow very specific devices. First one is by the device serial number and the second one is by deviceinstanceid. Both have some challenges so you might have to use both or switch between them depending on the peripheral you are plugging in. For example, I have USB stick that I got from a vendor conference, but I can't use serial number as its not in the correct format.

We can check the serial numbers a couple different ways. I prefer PowerShell. Using the cmdlet below you can pull serial numbers for disks connected to your system.

get-disk

Disk 0 is my hard drive but disk 1 is the usb stick. You can see the serial number looks odd, to short to be something useful.

If you see the serial number looks funny to you like 4-5 characters long, then you probably want to switch to DeviceInstancePath. Open Device manager and find Universal Serial Bus Controllers. You will see a device in the list called USB Mass Storage Device, that will be your USB stick. Please note if you have more than one plugged in to grab the correct one. Right click on that device and select properties. Select the Details tab and find the Device Instance Path Property. The value there is what we can use also.

There is one more option you can use. If you don't have access to the device and have Defender for Endpoint deployed in at least a passive mode state, then you can run a KQL to get the data. Navigate to Defender XDR then Hunting and Advanced Hunting.

DeviceEvents | where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" | extend parsed=parse_json(AdditionalFields) | extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaInstanceId = tostring(parsed.DeviceInstanceId) | extend MediaDeviceId = tostring(parsed.MatchingDeviceId) | where DeviceName contains "Yourdevicenamehere" | project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields | order by Timestamp desc

Steps

1. Navigate to Endpoint Security > Attack Surface Reduction > Reusable Settings then click Add.
2. Click Add then Removable Storage.
3. Depending on what you are allowing off of serial or deviceinstancepath. We will use deviceinstancepath for this example.

4. Add as many as you want/need to exclude from being blocked.

5. Under policies, click Create policy and select Windows for the platform and Device Control under the profile.

6. Under Configuration Settings, scroll down to Device Control and click Add. Give the policy a name.

7. Click on "+ Set reusable settings" and find your reusable setting(s) we created in previous steps (don't forget to scroll down and save).

8. Click Entry, we want to click Add which will create an allow entry. Under Access Mask, allow the setting(s) you want for this peripheral.

9. Once you are done adding all your peripherals then you can apply scope tags and assign to your groups (I recommend a test group if at all possible).

Allowing Printers

For Printers there are several different options. The following are the catagories for the printers:

• USB
• Corporate
• Network
• Universal
• File
• Custom
• Local

Since we are denying all by default the only piece, we want to allow is what meets your requirements. For several of my customers, I have been asked to block all printing except File and Corporate printing. This would prevent remote users from printing sensitive data at home or anywhere else they might be. For this example, we are just going to allow File and Corporate printing.

1. Navigate to Endpoint Security > Attack Surface Reduction > Reusable Settings then click Add.
2. Click Add then give you setting a name. For this example it will be called "Allow Printers - File and Corporate"
3. Click Add under configuration settings then select Printer device.
4. Configure PrinterConnectionID with File and put File in the name.

5. Repeat steps 3-4 for Corporate printers.

6. Under policies, click Create policy and select Windows for the platform and Device Control under the profile.
7. Give the policy a name, for example "Allow Printers"
8. Under Configuration Settings, scroll down to Device Control and click Add.
9. Give the setting a name, I used "Allow File and Corporate Printers".
10. Click on "+ Set reusable settings" and find your reusable setting(s) we created in previous steps (don't forget to scroll down and save).

11. Click Entry, we want to click Add which will create an allow entry. Under Access Mask, allow the setting Print.

12. Apply scope tags and assign to your groups (I recommend a test group if at all possible).

Gotchas

Printing is handled a bit differently than I was expecting, my expectation was that we would not be able to print at all. However, if you are blocking file print, it will allow you to print the file but nothing is in the file and it gives you a warning about the file.

For printing to a physical printer, it will sent the print job to the print spooler but then block it from going to the printer itself. I was testing with no paper in my printer so I wouldn't waste paper but that broke the process. Once I tried using the printer like normal the control did what it was supposed to do.

Reference

• Configuration/DefaultEnforcement
• WPD Devices
• Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune
• Device control policy sample: Deny access to all non-approved devices