Management of external devices (peripherals) with Intune
Intune

Management of external devices (peripherals) with Intune

jannikreinhard3 Comments

Managing external devices with Intune is one of the most effective ways to reduce the security risk of your end devices and to protect them from data loss or malicious hardware. By controlling peripherals such as USB sticks, Bluetooth accessories, and removable storage, you close a common attack vector. Intune Device Control, part of the attack surface reduction policies, has the answer for this. In this blog post we take a closer look at how to lock down external devices with Intune step by step.

Managing external devices with Intune using Device Control policies

Content

  1. Content
  2. Create a Device Control Policy
  3. Management of removable storages
    1. Block removable storages
    2. Allow only specific devices
  4. Management of Bluetooth
  5. Block Specific device classes

Create a Device Control Policy to manage external devices with Intune

  • Open the Intune Portal
  • Navigate to Endpoint security -> Attack surface reduction
  • Click on + Create Policy
Management of external devices (peripherals) with Intune
  • Select Windows 10 and later as platform and Device Control as Profile
Management of external devices (peripherals) with Intune
  • Enter a name and click Next
Management of external devices (peripherals) with Intune
  • From here we have a lot of different interesting settings. Lets look into the most interesting ones. You can find a detailed description of the different configurations in the sections below. (You can also find a list of all settings in the Microsoft documentation.)
  • Once the configurations are created click Next -> Next
  • Create an assignment
Management of external devices (peripherals) with Intune

Before you create a broader assignment, test the profile carefully.

  • Click Next and Create to create the profile

Management of removable storages

Block removable storages

A core part of managing external devices with Intune is controlling removable storage. If you want to block removable devices completely, you can set Removable Disk Deny Write Access to Disable. You can learn more about the underlying setting in the official Microsoft Learn documentation.

Management of external devices (peripherals) with Intune

This setting does not block USB charging

Allow only specific devices

When you manage external devices with Intune you rarely want to block everything. Instead, you can define exactly which USB sticks are allowed using reusable settings. You can do this with the following steps:

  • Create a reusable setting by going back to the Attack surface reduction section and select Reusable settings
  • Click +Add
Management of external devices (peripherals) with Intune
  • Enter a name and click Next
  • Click +Add and +Edit instance
  • Enter a name and an Identifier of the device. The best way is to use the DeviceId.
    • You can get the DeviceId in these two ways:
      • Open the Device Manager, select a device, and change to the details section.
      • Run the following command: Get-PnpDevice | Select-Object FriendlyName, DeviceID
Management of external devices (peripherals) with Intune
  • Click Next and Add
  • Go back to the Attack Surface Reduction Policy in the Device Control section
  • Click +Set reusable settings and select the previous created setting
Management of external devices (peripherals) with Intune
  • Click +Edit Entity
  • Create an Allow list and specify the Access mask.
Management of external devices (peripherals) with Intune

Management of Bluetooth

  • Bluetooth peripherals are another important part of managing external devices with Intune. To block Bluetooth, you can set the following setting:
Management of external devices (peripherals) with Intune

Block Specific device classes

Another scenario when managing external devices with Intune is blocking whole device categories. To block specific device classes like FloppyDisk or SmartCardReader, you can set the following setting:

  • Enable the Prevent installation of devices using drivers that match these device setup classes
  • Set also the Also apply to matching devices that are already installed option to True
Management of external devices (peripherals) with Intune
  • Open the following documentation to find a list of GUIDs or run the following command Get-PnpDevice | Select-Object FriendlyName, Class, ClassGUID
  • Insert the GUIDs in the Text field.
Management of external devices (peripherals) with Intune

Conclusion: managing external devices with Intune

Managing external devices with Intune gives you granular control over removable storage, Bluetooth, and entire device classes from a single Device Control policy. Start small, test your assignments carefully, and roll out broadly once you are confident. If you want to go deeper into endpoint hardening, check out my other posts on the jannikreinhard.com blog, and keep the Microsoft Learn Device Control overview handy as a reference. With these settings you have a solid foundation for managing external devices with Intune across your fleet.

3 thoughts on “Management of external devices (peripherals) with Intune

  1. Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000

    So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same…

Do you have any idea how to fix it?

  2. Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000 So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same… Do you have any idea how to fix it?

Comments are closed.