New Removable Storage Management Capabilities in MS Defender

Microsoft announced new features for Removal storage management in MS Defender for endpoint and this helps to improve and secure more removal storage scenarios in Windows and below are the use cases that Windows Defender supports.

  • Gain writing access to specific removable storage devices
  • Use specific removable storage devices on specific machines
  • Gain read/write/execute access to specific files on removable storage devices
  • Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN

And the below new features included in defender for endpoint.

  • Support for file parameters
  • Support for Azure AD machines or user group(s)
  • Capturing a file as evidence on a network share
  • Improvements to the removable storage access control investigation experience
  • Network location as a condition

Support for file parameters

               Defender for Endpoint now able to read, write, and execute access to specific files on removable storage. INK, BAT, BIN, CHM, CMD, COM, CPL, EXE file extensions can be blocked by Defender and let me explain the configurations involved in blocking file extensions. You would need to create two groups. 1. Create group for any removable storage devices 2. Create group for unallowed file extensions.Create a policy to deny read and execute access to any file under allowed file extension group for removable storage group.

  1. Create group for removable & portable storage devices.

        Goto Microsoft Endpoint Manager Admin center and Devices -> Create Profile -> Choose platform: Windows 10 and later, Profile Type: Templates -> Custom. Under Configuration Settings, Add Row pane and provide below details.

  • Name -> Any Removable Storage Group.
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{9b28fae8-72f7-4267-a1a5-685f747a7146}”>
   <!. ../Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData –>                <MatchType>MatchAny</MatchType>

  • Click Save and proceed with deploying configuration.
  1. Create group for Unallowed file extensions.

         Under Configuration settings, Add Row pane to configure settings and provide the below formation.

  • Name -> Unallowed file extensions
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{e5f619a7-5c58-4927-90cd-75da2348a30f}” Type=”File” MatchType=”MatchAny”>
   <!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7be5f619a7-5c58-4927-90cd-75da2348a30f%7d/GroupData –>

  • Click Save and deploy the configuration.
  1. Deploy policy to deny Read and execute access.
                You can use the below XML file to create policy and apply to removable storage group. It will block read and write access to the group. 40 in the policy means only need to restrict file system level access. In Add Row pane, specify name and OMA-URI (./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData) and Data type is String XML file and select Custom XML file and Click Save and apply policy configuration.

    <PolicyRule Id=”{5038638c-9352-47bb-88df-8a659f0c02a7}”>
<!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b5038638c-9352-47bb-88df-8a659f0c02a7%7d/RuleData –>
    <Name>Block Read and Write access to specific file</Name>
   <Entry Id=”{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}”>
                 <Parameters MatchType=”MatchAll”>
                                             <File MatchType=”MatchAny”>
   <Entry Id=”{2925ecd8-40dc-42bb-a972-da0de839dd4f}”>

Support for Azure AD machines or user groups

                     Microsoft support for AD Object and Azure AD Object Id in Microsoft Defender for Endpoint. It allows the user to use specific removable storage devices to specific machine and the user cannot use any other storage device on the machine. Using Sid and ComputerSid in the policy, the user can control specific removable storage for specific users or machines. You can find the object ID for users & machines in Azure portal. SID is local user SID or user SID group or SID of the AD object or the object ID of the Azure AD object. ComputerSID is Local computer SID or computer SID group or the SID of the AD object or the Object Id of the AAD object. You can apply policy to specific user and specific computer, need to add both SID and computer SID in the same entry.

Capture the file as evidence on a network share

               When you copy the file into authorized Removable storage device, the policy will copy the file into network share as evidence. “option” attribute allows you to capture copy of the file as evidence in the network share.

Improvements to the removable storage access control investigation experience

              Investigation experience has been improved with new release by providing device control in the device timeline page. Removable storage access control event has been added in the machine timeline and go to Microsoft 365 security portal -> Devices -> Device page -> Timeline.

File name and patch information will be captured when file level policy is applied, and it will show in the Device control report (Reports -> Device Control and the report data latency reduced from 12 hours to 6 hours. In the Device control report, you can view the audit events & policy events. Audit events will show the number of audit events occurs when external device is connected. Policy events will show the number of policy when a device control policy is triggered. To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query.

Network location as a condition

             You can create device control policies for the machines which are not connected to the corporate network using machines network location. “Network” and “VPNConnection” group types created recently. You can use the block people from accessing Removable storage when the machines is not connected to the corporate network.  Microsoft mentioned these features are currently available in public preview for Microsoft defender for endpoints. There are few troubleshooting steps you can follow for policy issues. To confirm if the policy is applied on the machine, Open powershell as an administrator and run “Get-MpComputerStatus” and verify if latest date is showing in the DeviceControlPoliciesLastupdated. There are couple of reason the policy does not work. If you are not using correct markdown formatting for the “&” character and adding the byte mark (BOM) 0xEF 0xBB 0xBF at the beginning which causing XML parsing issues.

For more Info on Windows Defender and its capabilities, kindly read the article:
Configure Firewall rules to allow reusable settings with Windows Defender



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.