This week is all about easier managing the basics of Device Control in Microsoft Defender for Endpoint using Microsoft Intune. It was already possible for a while to configure the different aspects of the Device Control feature on Windows devices, the configuration of some aspects just became a lot easier. In general, the Device Control features enable IT administrators to control whether users can install and use peripheral devices, such as removable storage, printers, or Bluetooth devices. In the end, the Device Control feature provides IT administrators with more tools to protect organizations from cyberthreats, such as potential data loss, or malware, by reducing the attack surface. Nowadays there are many different configuration options and different configuration profiles. This post will focus on the basic configuration that got fundamentally easier, as it no longer relies on custom configuration profiles.
Configuring Device Control using Settings Catalog
When looking at the configuration of the Device Control feature, it all starts with the Defender CSP. That CSP contains the different configuration options for configuring the different Device Control features. Some specific features require sidesteps to separate CSPs, like described in this post about getting started with Device Control Printer Protection. By default, the Device Control feature is disabled and there are no specific restrictions about which devices can be added. Once the device is onboarded in Defender for Endpoint, the auditing of the basic Device Control events is automatically enabled. For configuring the Device Control feature, such as enabling the feature, configuring the default enforcement, and the secured device types, Microsoft Intune now provides the required settings. Those settings previously required custom device configuration profiles. An overview of those settings and their main usage is summarized in the table below.
| Setting | Friendly name | URI | Description |
|---|---|---|---|
| Enable device control | Device Control Enabled | DeviceControlEnabled | This setting can be used to enable or disable the device control feature on the device. |
| Device control default enforcement | Default Enforcement | DefaultEnforcement | This setting can be used to configure the device control default enforcement when none of the configured policy rules match. |
| Device types | Secured Devices Configuration | SecuredDevicesConfiguration | This setting can be used to configure the device types — that are identified by their Primary IDs — with device control protection turned on. |
Note: All settings are available in the configuration node of the Defender CSP: ./Vendor/MSFT/Defender/Configuration.
Now those settings are directly available via the Device Control profile and via the Settings Catalog. The former, however, doesn’t contain all of the settings yet, while the latter does. So, that would make the Settings Catalog the preferred option for configuring all the different settings. The following 8 steps can be used to configure the basics of the Device Control feature, by using Settings Catalog, to enable the feature, configuring the default enforcement, and the secured device types.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
- On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Click Add settings, navigate to Defender and select the following settings in Settings picker
- Device Control Enabled (DeviceControlEnabled)
- Default Enforcement (DefaultEnforcement)
- Secured Devices Configuration (SecuredDevicesConfiguration)
- Configure the following values for the different settings
- Select Device Control is enabled with Device Control Enabled (1) to enable the Device Control feature
- Switch Default Enforcement to Default Deny Enforcement (2) to deny devices by default
- Choose between Removable Media Devices, Cd Rom Devices, Wpd Devices, Printer Devices with Secured Devices Configuration (3) to configure the device types that are protected by Device Control
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the required user or devices and click Next
- On the Review + create page, verify the configuration and click Create
Experiencing Device Control on Window devices
After applying the configuration to enable and configure the Device Control feature on Windows devices, there are multiple methods to easily verify the configuration. That can be done via Defender for Endpoint by checking on device events but can also be done by verifying the behavior or configuration locally on the device. Especially the latter might be the easiest method to verify the currently applied configuration on the device. The Get-MpComputerStatus cmdlet provides IT administrator with an overview of the applied Defender configuration on the device. As shown below in Figure 2, simply use Get-MpComputerStatus | Select DeviceControl* to get an overview of the applied configuration with the focus on Device Control.
More information
For more information about Microsoft Defender Device Control on Windows devices, refer to the following docs.
- Device control in Microsoft Defender for Endpoint – Microsoft Defender for Endpoint | Microsoft Learn
- Device control walkthroughs – Microsoft Defender for Endpoint | Microsoft Learn
- Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune – Microsoft Defender for Endpoint | Microsoft Learn
- Defender CSP | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.