New Removable Storage Management Capabilities in MS Defender

Microsoft announced new features for Removal storage management in MS Defender for endpoint and this helps to improve and secure more removal storage scenarios in Windows and below are the use cases that Windows Defender supports.

  • Gain writing access to specific removable storage devices
  • Use specific removable storage devices on specific machines
  • Gain read/write/execute access to specific files on removable storage devices
  • Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN

And the below new features included in defender for endpoint.

  • Support for file parameters
  • Support for Azure AD machines or user group(s)
  • Capturing a file as evidence on a network share
  • Improvements to the removable storage access control investigation experience
  • Network location as a condition

Support for file parameters

               Defender for Endpoint now able to read, write, and execute access to specific files on removable storage. INK, BAT, BIN, CHM, CMD, COM, CPL, EXE file extensions can be blocked by Defender and let me explain the configurations involved in blocking file extensions. You would need to create two groups. 1. Create group for any removable storage devices 2. Create group for unallowed file extensions.Create a policy to deny read and execute access to any file under allowed file extension group for removable storage group.

  1. Create group for removable & portable storage devices.

        Goto Microsoft Endpoint Manager Admin center and Devices -> Create Profile -> Choose platform: Windows 10 and later, Profile Type: Templates -> Custom. Under Configuration Settings, Add Row pane and provide below details.

  • Name -> Any Removable Storage Group.
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{9b28fae8-72f7-4267-a1a5-685f747a7146}”>
   <!. ../Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData –>                <MatchType>MatchAny</MatchType>

  • Click Save and proceed with deploying configuration.
  1. Create group for Unallowed file extensions.

         Under Configuration settings, Add Row pane to configure settings and provide the below formation.

  • Name -> Unallowed file extensions
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{e5f619a7-5c58-4927-90cd-75da2348a30f}” Type=”File” MatchType=”MatchAny”>
   <!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7be5f619a7-5c58-4927-90cd-75da2348a30f%7d/GroupData –>

  • Click Save and deploy the configuration.
  1. Deploy policy to deny Read and execute access.
                You can use the below XML file to create policy and apply to removable storage group. It will block read and write access to the group. 40 in the policy means only need to restrict file system level access. In Add Row pane, specify name and OMA-URI (./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData) and Data type is String XML file and select Custom XML file and Click Save and apply policy configuration.

    <PolicyRule Id=”{5038638c-9352-47bb-88df-8a659f0c02a7}”>
<!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b5038638c-9352-47bb-88df-8a659f0c02a7%7d/RuleData –>
    <Name>Block Read and Write access to specific file</Name>
   <Entry Id=”{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}”>
                 <Parameters MatchType=”MatchAll”>
                                             <File MatchType=”MatchAny”>
   <Entry Id=”{2925ecd8-40dc-42bb-a972-da0de839dd4f}”>

Support for Azure AD machines or user groups

                     Microsoft support for AD Object and Azure AD Object Id in Microsoft Defender for Endpoint. It allows the user to use specific removable storage devices to specific machine and the user cannot use any other storage device on the machine. Using Sid and ComputerSid in the policy, the user can control specific removable storage for specific users or machines. You can find the object ID for users & machines in Azure portal. SID is local user SID or user SID group or SID of the AD object or the object ID of the Azure AD object. ComputerSID is Local computer SID or computer SID group or the SID of the AD object or the Object Id of the AAD object. You can apply policy to specific user and specific computer, need to add both SID and computer SID in the same entry.

Capture the file as evidence on a network share

               When you copy the file into authorized Removable storage device, the policy will copy the file into network share as evidence. “option” attribute allows you to capture copy of the file as evidence in the network share.

Improvements to the removable storage access control investigation experience

              Investigation experience has been improved with new release by providing device control in the device timeline page. Removable storage access control event has been added in the machine timeline and go to Microsoft 365 security portal -> Devices -> Device page -> Timeline.

File name and patch information will be captured when file level policy is applied, and it will show in the Device control report (Reports -> Device Control and the report data latency reduced from 12 hours to 6 hours. In the Device control report, you can view the audit events & policy events. Audit events will show the number of audit events occurs when external device is connected. Policy events will show the number of policy when a device control policy is triggered. To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query.

Network location as a condition

             You can create device control policies for the machines which are not connected to the corporate network using machines network location. “Network” and “VPNConnection” group types created recently. You can use the block people from accessing Removable storage when the machines is not connected to the corporate network.  Microsoft mentioned these features are currently available in public preview for Microsoft defender for endpoints. There are few troubleshooting steps you can follow for policy issues. To confirm if the policy is applied on the machine, Open powershell as an administrator and run “Get-MpComputerStatus” and verify if latest date is showing in the DeviceControlPoliciesLastupdated. There are couple of reason the policy does not work. If you are not using correct markdown formatting for the “&” character and adding the byte mark (BOM) 0xEF 0xBB 0xBF at the beginning which causing XML parsing issues.

For more Info on Windows Defender and its capabilities, kindly read the article:
Configure Firewall rules to allow reusable settings with Windows Defender



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 005
Cyber Security

WME Security Briefing 15 April 2024

E-Commerce Security Alert: Unveiling Magecart’s Persistent Backdoor Overview Malicious activities by Magecart attackers have been reported. They are targeting Shopify’s content delivery network (CDN) by creating fake Shopify stores. The backdoor method has enabled them to

Read More »
WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.