Management of external devices (peripherals) with Intune

To reduce the security risk of the end devices and to protect them from data loss or malicious devices, it makes sense to also deal with the management of peripherals. Intune also has an answer for this with attack surface reduction policies. We would like to take a closer look at this topic in this blog post.

Content

Create a Device Control Policy

Open the Intune Portal
Navigate to Endpoint security -> Attack surface reduction
Click on + Create Policy

Select Windows 10 and later as platform and Device Control as Profile

Enter a name and click Next

From here we have a lot of different interesting settings. Lets look into the most interesting ones. You can find a detailed description of the different configurations in the sections below. (You can also find a list of all settings in the Microsoft documentation.)
Once the configurations are created click Next -> Next
Create an assignment

Before you create a broader assignment, test the profile carefully.

Click Next and Create to create the profile

Management of removable storages

Block removable storages

If you want to block removable devices completely, you can set Removable Disk Deny Write Access to Disable.

This setting does not block USB charging

Allow only specific devices

If you want to define which USB sticks are allowed, you can do this with the following steps:

Create a reusable setting by going back to the Attack surface reduction section and select Reusable settings
Click +Add

Enter a name and click Next
Click +Add and +Edit instance
Enter a name and an Identifier of the device. The best way is to use the DeviceId.
- You can get the DeviceId in these two ways:
  - Open the Device Manager, select a device, and change to the details section.
  - Run the following command: Get-PnpDevice | Select-Object FriendlyName, DeviceID

Click Next and Add
Go back to the Attack Surface Reduction Policy in the Device Control section
Click +Set reusable settings and select the previous created setting

Click +Edit Entity
Create an Allow list and specify the Access mask.

Management of Bluetooth

To block Bluetooth, you can set the following setting:

Block Specific device classes

To block specific device classes like FloppyDisk or SmartCardReader, you can set the following setting:

Enable the Prevent installation of devices using drivers that match these device setup classes
Set also the Also apply to matching devices that are already installed option to True

Open the following documentation to find a list of GUIDs or run the following command Get-PnpDevice | Select-Object FriendlyName, Class, ClassGUID
Insert the GUIDs in the Text field.

2 thoughts on “Management of external devices (peripherals) with Intune”

Seb says:

16. June 2023 at 13:41
Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000
```
So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same…

Do you have any idea how to fix it?
```
Seb says:

16. June 2023 at 13:44

Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000 So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same… Do you have any idea how to fix it?

Comments are closed.