#ENDPOINT USB SECURITY HOW TO#
* How to find the Class GUID with PowerShell?
#ENDPOINT USB SECURITY DRIVERS#
The blog will show you how to allow normal users, installing printer drivers on their own. While I was looking at the device Class GUIDS I realised I also did a blog on this topic some time ago. * How to find the Class GUID with the device manager If a device class GUID is configured for both allow and disallow policies, then the devices will not be allowed to install. Prevent policies have higher priority over allowed policies. Get-WmiObject Win32_PNPEntity | select name,hardwareid | sort-object hardwareid | Get-Unique -asstring |fl Block/ Allow Hardware device installation by setup classes:ĭevice GUIDs entered here are disallowed from installing. * How to find the Device/Hardware Id with PowerShell? * How to find the Device/Hardware Id with the device manager PLEASE NOTE: The device ID isn’t the PnP ID but the Hardware ID Specific Hardware IDs you configure in this policy are forbidden and blocked from being installed. Block / Allow Hardware Device installation by device identifiers When you configure a block policy it will apply on the device, so even if your end-users are configured as local administrators it will be blocked. It allows us to secure the environment based on specific hardware allowed to connect. These settings allow you to create allow lists or deny lists based on hardware IDs, or specific device GUID allows lists (and deny lists). The second part about allowing removable storage, sort of speaks for itself. Because the first part is sometimes difficult to understand and configure. Like always, open Intune and Click on Endpoint Security –> Attack Surface Reduction to start creating a new policy. If you have configured another AV, Microsoft Defender will be running in passive mode and Device Control will probably not work 2.Configuring Device Control in Intune The only prerequisite? You need to make sure Microsoft Defender for Endpoints is enabled and active.
#ENDPOINT USB SECURITY INSTALL#
When making use of Device Control you could make sure there is no possibility for users to install specific hardware on the devices or you can make sure removable storage can’t be used! Of course, this feature there couldn’t be any other name than Windows Defender Device Control. Microsoft Defender for Endpoints has a really cool feature to protect devices against data loss. This feature will provide you with a layered approach to secure removable hardware like external hard drives.