All / Intune / Security / Windows

Management of external devices (peripherals) with Intune

jannikreinhard3 Comments

To reduce the security risk of the end devices and to protect them from data loss or malicious devices, it makes sense to also deal with the management of peripherals. Intune also has an answer for this with attack surface reduction policies. We would like to take a closer look at this topic in this blog post.

Content

  1. Content
  2. Create a Device Control Policy
  3. Management of removable storages
    1. Block removable storages
    2. Allow only specific devices
  4. Management of Bluetooth
  5. Block Specific device classes

Create a Device Control Policy

  • Open the Intune Portal
  • Navigate to Endpoint security -> Attack surface reduction
  • Click on + Create Policy
  • Select Windows 10 and later as platform and Device Control as Profile
  • Enter a name and click Next
  • From here we have a lot of different interesting settings. Lets look into the most interesting ones. A detailed description of the different configurations you can find in the sections below. (You can also find a list of all settings here)
  • Once the configurations are created click Next -> Next
  • Create a assignment

Bevor you create a broader assignment test the profile carefully

  • Click Next and Create to create the profile

Management of removable storages

Block removable storages

If you want to block removable devices completely you can set the Removable Disk Deny Write Access to Disable

This setting does not block USB charging

Allow only specific devices

If you want to define which USB Stick is allowed you can do this with the following steps:

  • Create a reusable setting by going back to the Attack surface reduction section and select Reusable settings
  • Click +Add
  • Enter a name and click Next
  • Click +Add and +Edit instance
  • Enter a name and an Identifier of the device. The best way is to use the DeviceId.
    • You can get the DeviceId via this two ways:
      • Open the Device Manager select a device and change to the details section
      • Run the following command Get-PnpDevice | Select-Object FriendlyName, DeviceID
  • Click Next and Add
  • Go back to the Attack Surface Reduction Policy ind the Device Control section
  • Click +Set reusable settings and select the previous created setting
  • Click +Edit Entity
  • Create a Allow list and specify the Access mask

Management of Bluetooth

  • To block Bluetooth you can set the following setting:

Block Specific device classes

To block specific device classes like e.g. FloppyDisk or SmartCardReader you can set the following setting:

  • Enable the Prevent installation of devices using drivers that match these device setup classes
  • Set also the Also apply to matching devices that are already installed option to True
  • Open the following documentation to find a list of GUIDs or run the following command Get-PnpDevice | Select-Object FriendlyName, Class, ClassGUID
  • Insert the GUIDs in the Text field

3 thoughts on “Management of external devices (peripherals) with Intune

  1. Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000

    So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same…

Do you have any idea how to fix it?

    Like

  2. Hi, do you know maybe how can we exclude SD Cards from this ASR profiles? I have every time the same ID of card – SD Card PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000 So when I will add this record every SD card will be excluded- usb stick and other devices has every time differed ID`s but SD card has every time the same… Do you have any idea how to fix it?

    Like

Comments are closed.