Controlling devices connected to Windows devices

This week is all about device control. Device control is often referred to as a feature of Microsoft Defender for Endpoint and is focused on preventing data leakage. That is achieved by limiting the devices that can be connected to a Windows device. The idea is also pretty straight forward: control which devices can connect to a Windows device. That can be achieved by looking at the hardware device installation, at the removable storage and at the bluetooth connections. Besides that it’s even possible to get creative with printers. Most of these settings – with exception of the printer settings – are configurable via the endpoint security options, but most settings are actually configured via different CSPs on the Windows device. This post will walk through the actions to configure the different device control settings, followed with a look at the user experience.

Note: As with most Microsoft Defender functionality, the configuration options (protect) are available within a Microsoft 365 E3 license and the reporting options and more (detect and respond) are available within in a Microsoft 365 E5 license.

Configuration of the device control settings

When looking at the configuration of the device control settings, the most settings are pretty straight forward to configure. That’s because most device control settings can be configured by using an attack surface reduction policy. The only exception is for the device control policies for printers. Those settings are not yet available.

Configuring a device control policy for the generic settings

As mentioned, most device control settings can be configured with a policy in the attack surface reduction category. More specifically, a device control profile. The eight steps below walk through the process of creating such a profile and provide some context with the different available settings. When needed, short PowerShell examples are provided to retrieve the required information.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security  > Attack surface reduction
  2. On the Endpoint security | Attack surface reduction blade, click Create Policy
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Windows 10 and later as value
  • Profile: Select Device control as value
  1. On the Basics page, provide the following information for the profile and click Next
  • Name: Provide a valid name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a valid description for the profile to further differentiate profiles
  • Platform: (Pre-selected) Windows 10 and later
  1. On the Configuration settings page, as shown below in Figure 1, configure the required values for the following settings, as described below Figure 1, and click Next
  • Allow hardware device installation by device identifiers (1): This setting can be used to enable Windows to install or update any device whose Plug and Play (PnP) hardware ID or compatible ID appears in the specified allow list. The allow list becomes available after enabling this setting and it configures AllowInstallationOfMatchingDeviceIDs.
  • Block hardware device installation by device identifiers (2): This setting can be used to prevent Windows from installing or updating any device whose Plug and Play (PnP) hardware ID or compatible ID appears in the specified block list. The block list becomes available after enabling this setting and it configures PreventInstallationOfMatchingDeviceIDs.
Get-WmiObject -Class Win32_PNPEntity -Filter "Name='YourPnPNDevice'" | Select Name, HardwareID
  • Allow hardware device installation by setup class (3): This setting can be used to enable Windows to install or update device drivers whose device setup class globally unique identifiers (GUIDs) appear in the specified allow list. The allow list becomes available after enabling this setting and it configures AllowInstallationOfMatchingDeviceSetupClasses.
  • Block hardware device installation by setup classes (4): This setting can be used to prevent Windows from installing or updating device drivers whose device setup class globally unique identifiers (GUIDs) appear in the specified block list. The block list becomes available after enabling this setting and it configures PreventInstallationOfMatchingDeviceSetupClasses.
Get-WmiObject -Class Win32_PNPEntity -Filter "Name='YourPnPNDevice'" | Select Name, ClassGUID
  • Allow hardware device installation by device instance identifiers (5): This setting can be used to enable Windows to install or update any device whose Plug and Play (PnP) device instance ID appears in the specified allow list. The allow list becomes available after enabling this setting and it configures AllowInstallationOfMatchingDeviceInstanceIDs.
  • Block hardware device installation by device instance identifiers (6): This setting can be used to prevent Windows from installing or updating any device whose Plug and Play (PnP) device instance ID appears in the specified allow list. The allow list becomes available after enabling this setting and it configures PreventInstallationOfMatchingDeviceInstanceIDs.
Get-WmiObject -Class Win32_PNPEntity -Filter "Name='YourPnPNDevice'" | Select Name, DeviceID
  • Scan removable drives during full scan (7): This setting can be used to enable that removable drives are scanned during full scan. It uses AllowFullScanRemovableDriveScanning.
  • Block direct memory access (8): This setting can be used to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. It configures AllowDirectMemoryAccess.
  • Enumeration of external devices incompatible with Kernel DMA Protection (9): This setting can be used to provide additional security against external DMA capable devices. It configures DeviceEnumerationPolicy.
  • Block removable storage (10): This setting can be used to prevent users from using external storage devices. It configures RemovableDiskDenyWriteAccess.
  • Block USB connection (Hololens only) (11): This setting can be used to prevent the usage of a USB connection between the device and a computer to sync files, or to use developer tools to deploy or debug applications. It configures AllowUSBConnection.
  • Block write access to removable storage (12): This setting can be used to deny write access to removable storage. It configures RemovableDiskDenyWriteAccess.
  • Block bluetooth connections (13): This setting can be used to block bluetooth connections to and from the device. It configures AllowDiscoverableMode.
  • Block bluetooth discoverability (14): This setting can be used to prevent the device from being discoverable by other Bluetooth-enabled devices. It configures AllowDiscoverableMode.
  • Block bluetooth pre-pairing (15): This setting can be used to prevent specific Bluetooth devices from automatically pairing with the host device. It configures AllowPrepairing.
  • Block bluetooth advertising (16): This setting can be used to prevent the device from sending out Bluetooth advertisements. It configures AllowAdvertising.
  • Block bluetooth proximal connections (17): This setting can be used to prevent a device user from using Swift Pair and other proximity-based scenarios. It configures AllowPromptedProximalConnections.
  • Bluetooth allowed services (18): This setting can be used to specify the allowed Bluetooth services and profiles as hex strings. It configures ServicesAllowedList.
  1. On the Scope tags page, configure the applicable scopes for the profile and click Next
  2. On the Assignments page, configure the assignment for the profile and click Next
  3. On the Review + create page, verify the configuration and click Create

Configuring a custom policy for the printer settings

Only the printer device control settings require a separate configuration. More specifically, a custom profile. The nine steps below walk through the process of creating such a profile. The used settings are ADMX-backed policy settings, which is why those settings need to be configured with XML-values.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Custom
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the custom profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the custom profile to further differentiate profiles
  • Platform: (Greyed out) Windows 10 and later
  • Profile type: (Greyed out) Custom
  1. On the Configuration settings page, see also Figure 1, click Add to add a row for the following custom settings and click Next
  • OMA-URI setting 1 – This setting is used to prevent users from using non-corporate printers
    • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
    • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
    • OMA-URI: Specify ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl as value
    • Data type: Select String
    • Value: Specify <enabled/> as value
  • OMA-URI setting 2 – This setting is used to specify specific approved USB printers
    • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
    • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
    • OMA-URI: Specify ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices as value
    • Data type: Select String
    • Value: Specify <enabled><data id=”ApprovedUsbPrintDevices_List” value=”YourPrinterVID/PID”> as value

Note: The mentioned nodes are device settings and EnableDeviceControlUser and ApprovedUsbPrintDevicesUser can be used as nodes for user settings.

  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Assignments page, configure the required assignment and click Next
  3. On the Applicability rules page, configure the required applicability rules and click Next
  4. On the Review + create page, verify the configuration and click Create

Note: The first setting is already available via the Settings Catalog. Once the second setting is also available, the Settings Catalog will be the preferred configuration method.

Experiencing the controlled devices

The user experience with the different device control policies is, depending on the exact device control setting, not that exciting. For most settings it simply means that something is not possible, or not accessible. When for example blocking removable storage, the behavior can be easily simulated on a virtual machine. It will also block access to the CD/DVD drive. An example is shown below in Figure 3. All other settings are similar in limiting the user experience for a more secure device.

More information

For more information about (configuring) device control, refer to the following docs.

5 thoughts on “Controlling devices connected to Windows devices”

  1. That’s all nice for Azure and MEM but still searching for a possibility in MECM(SCCM). Still environments exist which can’t use online services. I can only find InTune, third party solutions (SCCM) or through GPO. Is there really now way to control device access control (specifically USB) in SCCM?

    Reply
  2. I’d be curious if you ever set this up recently, as I think there might be some new settings. I went the same route, and at the very bottom of the profile, there is a ‘Device Control’ section, where you can set it up to ‘Audit Allowed’ and ‘Audit Denied’. By using this, I was able to set it up to send events to Defender whenever it allowed a device.

    From there, you can go into Defender (security.microsoft.com), then go into Hunting > Advanced Hunting
    Using this query, you can pull up these events that were sent to Defender:

    //RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement
    DeviceEvents
    | where ActionType == “RemovableStoragePolicyTriggered”
    | extend parsed=parse_json(AdditionalFields)
    | extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
    | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
    | extend MediaClassGuid = tostring(parsed.ClassGuid)
    | extend MediaClassName = tostring(parsed.ClassName)
    | extend MediaDeviceId = tostring(parsed.DeviceId)
    | extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
    | extend MediaName = tostring(parsed.MediaName)
    | extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)
    | extend MediaProductId = tostring(parsed.ProductId)
    | extend MediaVendorId = tostring(parsed.VendorId)
    | extend MediaSerialNumber = tostring(parsed.SerialNumber)

    My issue with it is that I am able to pull up “DefaultAllow”, but it doesn’t seem to want to bring up any of the “DefaultDeny” events, which is what I am most interested in. If this worked, I would never have to tell a user to go into Device Manager to get me an instance ID. I was hoping it would show me the exact device being denied, which I could then plug in to be whitelisted in the ASR Device Control policy. Instead, all I get are the allowed devices, which is nice to have, but not exactly as helpful as a denied device list would be.

    Is there another way to audit these events that I am not aware of?

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.