Microsoft Defender for Endpoint’s device control capabilities are essential for organizations looking to secure their data and prevent cyberthreats. These capabilities allow security teams to manage the use of peripheral devices, such as USB drives, printers, and Bluetooth devices, connected to users’ computers. This article explores the functionalities of device control and how they can be used to enhance your organization’s security posture.
Microsoft Device Control Capabilities
Microsoft’s device control capabilities are divided into three main categories: device control in Windows, device control in Defender for Endpoint, and Endpoint Data Loss Prevention (Endpoint DLP). These functionalities allow you to configure policies that prevent users from installing or using specific devices, all external devices with exceptions, or only allow specific devices or BitLocker-encrypted devices.
Common Device Control Scenarios
Device control can be applied in various scenarios to protect your organization. Let’s explore some common use cases and the appropriate Microsoft capabilities to use.
Controlling Access to USB Devices
You can control access to USB devices using device installation restrictions, removable media device control, or Endpoint DLP, each offering different levels of control and protection.
Configuring Device Installation Restrictions
Device installation restrictions in Windows allow you to permit or deny the installation of drivers based on the device ID, device instance ID, or setup class. This can block any device in the device manager, including removable devices. When these restrictions are applied, the device is blocked in the device manager.
More details are available by clicking on the device.
Advanced Hunting also records this event. You can view it using the following query:
DeviceEvents | extend parsed=parse_json(AdditionalFields) | extend MediaClass = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId) | extend MediaDescription = tostring(parsed.DeviceDescription) | extend MediaSerialNumber = tostring(parsed.SerialNumber) | extend DeviceInstanceId = tostring(parsed.DeviceInstanceId) | extend DriverName = tostring(parsed.DriverName) | extend ClassGUID = tostring(parsed.ClassGuid) | where ActionType contains "PnPDeviceBlocked" | project Timestamp, ActionType, DeviceInstanceId, DriverName, ClassGUID | order by Timestamp desc When device installation restrictions are configured and a device is installed, an event with ActionType of PnPDeviceAllowed is created.
Controlling Access to Removable Media Using Device Control
Device control for Defender for Endpoint provides granular access control to USB devices, focusing on Windows Portal Devices, Removable Media, CD/DVDs, and Printers.
It’s important to note that not all USB devices are considered removable media devices. To be classified as such and be within the scope of MDE device control, the device must create a disk (e.g., E:) in Windows. Device control can then restrict access to the device and its files by defining policies.
Important: Some devices create multiple entries in the Windows device manager (e.g., a removable media device and a Windows portable device). For the device to function correctly, ensure you grant access for all entries associated with the physical device.
If a policy is configured with an audit entry, an event will appear in Advanced Hunting with an ActionType of RemovableStoragePolicyTriggered.
DeviceEvents | extend parsed=parse_json(AdditionalFields) | extend MediaClass = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId) | extend MediaDescription = tostring(parsed.DeviceDescription) | extend SerialNumberId = tostring(parsed.SerialNumber) | extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) | extend RemovableStorageAccess =tostring(parsed.RemovableStorageAccess) | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) | extend PID = tostring(parsed.ProductId) | extend VID = tostring(parsed.VendorId) | extend VID_PID = strcat(VID,"_",PID) | extend InstancePathId = tostring(parsed.DeviceInstanceId) | where ActionType == "RemovableStoragePolicyTriggered" | project Timestamp, RemovableStoragePolicy, RemovableStorageAccess,RemovableStoragePolicyVerdict, SerialNumberId,VID, PID, VID_PID, InstancePathId | order by Timestamp desc This query returns the policy name, the requested access, and the verdict (allow, deny).
Using Endpoint DLP to Prevent File Copying to USB
To prevent copying files to USB based on file sensitivity, use Endpoint DLP. Endpoint DLP allows you to define policies that prevent sensitive data from being copied to removable storage devices, ensuring that confidential information remains protected.
Controlling Access to BitLocker Encrypted Removable Media (Preview)
BitLocker is used to manage access to removable media and ensure that devices are encrypted, adding an extra layer of security to your data.
Using BitLocker to Deny Access to Removable Media
Windows offers the ability to deny write access to all removable media or deny write access unless the device is BitLocker encrypted.
Configuring Device Control Policies for BitLocker (Preview)
Device control for Microsoft Defender for Endpoint can control access to devices based on their BitLocker encrypted state. This allows for creating exceptions to allow and audit access to non-BitLocker encrypted devices.
Controlling Access to Printers
You can manage access to printers using printer installation restrictions, device control policies for printing, or Endpoint DLP.
Setting Up Printer Installation Restrictions
Windows device installation restrictions can also be applied to printers.
Configuring Device Control Policies for Printing
Device control for Microsoft Defender for Endpoint manages printer access based on the printer’s properties (VID/PID) and type (Network, USB, Corporate, etc.).
Device control can also restrict the types of files that are printed and limit printing in non-corporate environments.
Using Endpoint DLP to Prevent Classified Document Printing
To block the printing of documents based on information classification, use Endpoint DLP.
Using Endpoint DLP to Capture File Evidence of Printed Files
To capture evidence of a file being printed, use Endpoint DLP
Controlling Access to Bluetooth Devices
You can control access to Bluetooth services on Windows devices using device control or Endpoint DLP.
Controlling Access to Bluetooth Services on Windows
Administrators can manage the behavior of the Bluetooth service (allowing advertising, discovery, preparing, and prompting) and the allowed Bluetooth services.
Using Endpoint DLP to Prevent Document Copying to Devices
To block copying sensitive documents to any Bluetooth Device, use Endpoint DLP.
Using Endpoint DLP to Capture File Evidence of Files Copied to USB
To capture evidence of a file being copied to a USB, use Endpoint DLP
Device Control Policy Samples and Scenarios
Device control in Defender for Endpoint provides a robust access control model that enables a wide range of scenarios. If you are new to device control, see Device control walkthroughs.
Prerequisites for Device Control
Device control in Defender for Endpoint can be applied to devices running Windows 10 or Windows 11 with the anti-malware client version 4.18.2103.3 or later.
4.18.2104or later: AddedSerialNumberId,VID_PID, filepath-based GPO support, andComputerSid.4.18.2105or later: Added Wildcard support forHardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId; the combination of specific users on specific machines, removable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support.4.18.2107or later: Added Windows Portable Device (WPD) support (for mobile devices, such as tablets); addedAccountNameinto advanced hunting.4.18.2205or later: Expanded the default enforcement to Printer. If set to Deny, it blocks Printer as well, so create a custom policy to allow Printer if you only want to manage storage.4.18.2207or later: Added File support; the common use case is to “block people from Read/Write/Execute access specific file on removable storage.” Added Network and VPN Connection support; the common use case is to “block people from accessing removable storage when the machine isn’t connecting corporate network.”
Next Steps
Implementing device control in Microsoft Defender for Endpoint is crucial for protecting your organization from data loss and cyber threats. By understanding the different capabilities and scenarios, you can create effective policies that enhance your security posture.
