This article is contributed. See the original author and article here.

 

Raven is a Miniature Schnauzer that doesn’t like small critters in the yard unless they can fly. This gives Raven an insurmountable challenge, since my wife is such an avid gardener. We live on the side of a hill and at the top of the backyard is a manmade bog which feeds a downhill river to a to a pond with trees and flowers everywhere. Along with this are bird feeders and some birds love to scatter the feed from the feeders to the ground. So, our back yard is a perfect setting to get a lot of squirrels’, chipmunks, etc… When we go out the back door to the yard, Raven races out trying to catch up with the critters, but she just isn’t fast enough, and all the animals disperse quickly.

 

This chaos makes me think about some enterprise admins who are concerned about having to control the dispersion of enterprise data being stored on unapproved USB devices. The expectation that users are to only use USB data storage devices that are approved by corporate guidelines, without built-in security controls, is a task admins will never be able to achieve. This expectation is similar to the position of Raven ever catching a squirrel out back, it just won’t happen. Someone will forget a device, or they just don’t appreciate the governance definition and will plug in any storage device they have access to. Even though there are many stories on the internet that talk about attackers loading USB storage devices with malware and intentionally placing them into a location that a target victim will find. The victim then connects the USB device into their workstations and unknowingly gets compromised.

 

Fortunately, Microsoft has built in security controls in our modern o/s’s to assist our customers in controlling the use of defined USB devices. The explanation below covers USB storage, but it really pertains to ALL USB devices that can be controlled. So, lets walk through the device management and control of devices.

 

USB Device management on Windows

Once a USB device has been inserted within the windows ecosystem, the device driver(s) have been installed and the ability to prevent use is no longer available, until the driver(s) have been removed/uninstalled. The steps for uninstall/removal are defined later in this document, Revoke previously used USB storage.

NOTE Always test and refine these settings with a pilot group of users and devices first, before widely distributing to your organization!

 

USB device management with Group Policy

To block all removable storage

Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access:

  • “Set time (in seconds) to force reboot”
    • 3600
      • Note: If no reboot is forced, the access right does not take effect until the operating system is restarted.
      • The example setting above gives the user one hour before the system reboots
    • “All Removable Storage classes: Deny all Access”
      • Enabled

Manage what type of USB devices can be used

The Group Policy controls are located at:
Computer Configuration > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions

To allow certain storage types

  • “Set time (in seconds) to force reboot
    • 3600
      • Note: If no reboot is forced, the access right does not take effect until the operating system is restarted.
      • The example setting above gives the user one hour before the system reboots
    • Prevent installation of devices not described by other policy settings
      • Enabled
        • If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the “Allow installation of devices that match any of these device IDs” or the “Allow installation of devices for these device classes” policy setting.

To define unique devices allowed to be installed

  • “Allow installation of devices that match any of these device IDs”
    • Enabled
      • Show
        • Value = Hardware Id’s (captured from device manager)

USB7.PNGUSB2.PNG

 

To define unique classes of devices

  • “Allow installation of devices for these device setup classes”
    • Enabled
      • Show
        • Value – {4D36E96B-E325-11CE-BFC1-08002BE10318}
        • Value – {4D36E96F-E325-11CE-BFC1-08002BE10318}

Example highlighted in yellow for keyboard and mouse classes.

 

USB9.PNG

 USB4.PNG

 

Notifications to users

  • “Display a custom message title when device installation is prevented by a policy setting”
    • Message “Title” for a pop box when the user attempts to install an unapproved device
  • “Display a custom message when installation is prevented by a policy setting”
    • Message “Body” for a pop box when the user attempts to install an unapproved device

 

USB device management with Intune

To block all removable storage

  • Ensure that the device is a Modern Managed Intune device
  • Portal – https://endpoint.microsoft.com/#home
    • Microsoft Modern Managed Desktop
  • Select “Devices”
  • Select “Configuration profiles”
  • Select “+ Create profile”
    • Platform = “Windows 10 and later”
    • Profile = “Device Restrictions”
      • Create
    • Name = “Block All USB Storage
    • Description = “Optional
      • Next
    • Select “General”
      • “Removable storage” = “Block”
      • Next
    • Select “+ Select groups to include”
      • Select user(s)/group(s)
        • Select
      • Next
      • Next
    • Create

 

Manage what type of USB devices can be used

To manage USB control from Intune, a “Configuration Profile” will need to be created.

https://endpoint.microsoft.com

  • Select “Devices”
  • Select “Configuration profiles”
  • Select “+ Create profile”
    • Platform = “Windows 10 and later”
    • Profile = “Administrative Templates”
      • Create
    • Name = “USB Storage Control”
    • Description = “Optionally enter a value
      • Next
    • Computer Configuration > System > Device Installation > Device Installation Restrictions

USB5.PNG

 

 

There are 5 configuration settings that will allow you to control the use of USB devices.

  • Allow installation of devices that match any of these device IDs
    • Define the set of Hardware devices allowed for the managed devices by this Policy
  • Allow installation of devices using drivers that match these device setup classes
    • Define the set of Hardware devices allowed for the managed devices by this Policy
  • Prevent installation of devices not described by other policy settings
    • If enabled only the policy defined settings will work or be denied
  • Prevent installation of devices that match any of these device IDs
    • Define the set of Hardware devices denied for the managed devices by this Policy
  • Prevent installation of devices using drivers that match these device setup classes
    • Define the set of Hardware devices denied for the managed devices by this Policy

 

To enable the ability to restrict devices

  • “Enable” – Prevent installation of devices not described by other policy settings

USB6.PNG

 

To define unique devices allowed to be installed

  • Allow installation of devices that match any of these device IDs
    • Enabled
      • Value = Hardware Id’s (captured from device manager)

USB7.PNG

 

USB8.PNG

 

To define unique classes of devices

  • “Allow installation of devices using drivers that match these device setup classes”
    • Enabled
      • Value = {4D36E96B-E325-11CE-BFC1-08002BE10318}
      • Value = {4D36E96F-E325-11CE-BFC1-08002BE10318}

Example highlighted in yellow for keyboard and mouse classes.

USB9.PNG

 

USB10.PNG

 

Revoke previously used USB storage

Uninstall device driver(s) via Device Manager

USB devices that have already been used have had the device driver installed, therefore the control of these devices won’t work until the drivers have first been uninstalled. Looking at the Device Manager console image below, there are two USB storage devices in use. An approved SanDisk and an unapproved Generic USB drive.

USB11.PNG

 

Right clicking on the device will provide the admin with the ability to select, “Uninstall”. Once the device has been uninstalled the device will no longer be able to be used on this host.  Since the policy controls the installation of the driver for the USB device.

USB12.PNG

 

Uninstall device driver(s) via Devcon

In a large enterprise visiting individual workstations isn’t a reasonable situation, therefore processing from a command line will be necessary.

Devcon is a part of the Windows Driver Kit (WDK) so in order to gain access an instance of WDK will be required to be installed.  Installing by itself won’t make the WDK fully usable since it requires Visual Studio.  Since you are looking to gain access to Devcon, there is no need to install Visual Studio (VS).  It would probably be best that this install be completed on a lab device to not pollute a desktop with unnecessary binaries and just copy the files needed.

Downloads:

https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

Steps required to install WDK to gain access to Devcon

USB13.PNG

 Next

USB14.PNG

 Next

USB15.PNG

 Next

USB16.PNG

 Accept

USB17.PNG

 

USB18.PNG

Close

USB19.PNG

 

 

Once completed find the binaries that will be needed.  Generally, it will be x64 and possibly x86 but x64, x86, arm and arm64 will all be available. Copy the files to desired host.

 

USB20.PNG

 

Subset of Devcon commands for USB storage

 

Note: Be extremely careful!  ALL devices for the host are exposed with this utility.  You could damage the host irreparably if the wrong drivers are removed.

Devcon Examples:

Change directory to the Devcon binary that will be used for the process

Example: cd C:Program Files (x86)Windows Kits10Toolsx64

List all connected disk drives

This isn’t just USB drives shown in this command

devcon hwids =diskDrive 

Remove specific drivers for defined USB drives

If a drive was added prior to the policy, then the driver already exists and will allow the user to continue to use an unapproved device

devcon /r remove <HdwId>

Example: devcon /r remove USBSTORDisk________________________0.00

 

Devcon command line syntax

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon-examples

Find USB Storage in use with Microsoft Defender ATP

With Microsoft Defender ATP you can use the “Advanced Hunting” portal to search for USB devices that have been mounted on your users devices that are being managed by MD ATP.

 

Advanced Hunting

https://securitycenter.windows.com/

  • Select “Advanced Hunting”
  • Select the “Query” tab
  • Copy and paste the one of the below into the Query window
    • Click “Run Query”

USB21.PNG

 

Query for Mounted Storage

The query below will list ALL Defender clients that have mounted a USB storage device in the past day. This can extend backwards further by adjusting the Timestamp variable.

 

 

// Find all “Mounted” storage activity within the past day

DeviceEvents

 | where ActionType == “UsbDriveMount” and Timestamp > ago(1d)

 | extend DriveLetter = parse_json(AdditionalFields).DriveLetter

 | extend BusType = parse_json(AdditionalFields).BusType

 | extend ProductName = parse_json(AdditionalFields).ProductName

 | extend ProductRevision = parse_json(AdditionalFields).ProductRevision

 | extend SerialNumber = parse_json(AdditionalFields).SerialNumber

 | extend Manufacturer = parse_json(AdditionalFields).Manufacturer

 | extend Volume = parse_json(AdditionalFields).Volume

 | project DeviceName, DeviceId, Timestamp, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume

Query for Mounted Storage that isn’t approved

The query below will list ALL Defender clients that have mounted a USB storage device in the past day but aren’t a part of a defined set of approved Manufacturer and Product Name. This can extend backwards further by adjusting the Timestamp variable.

 

 

// Find all “Mounted” storage activity that isn’t approved via “Manufacturer” and “ProductName” within the past day

DeviceEvents

 | where ActionType == “UsbDriveMount” and Timestamp > ago(1d)

 | extend DriveLetter = parse_json(AdditionalFields).DriveLetter

 | extend BusType = parse_json(AdditionalFields).BusType

 | extend ProductName = parse_json(AdditionalFields).ProductName

 | extend ProductRevision = parse_json(AdditionalFields).ProductRevision

 | extend SerialNumber = parse_json(AdditionalFields).SerialNumber

 | extend Manufacturer = parse_json(AdditionalFields).Manufacturer

 | extend Volume = parse_json(AdditionalFields).Volume

 | extend ClassName = parse_json(AdditionalFields).ClassName

 | where Manufacturer !startswith “SanDisk” and ProductName !startswith “Extreme Pro”

 | project ClassName, DeviceName, DeviceId, Timestamp, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume

Query for storage connectivity attempts

The query below will list ALL Defender clients that have attempted to mount a USB storage device.  This includes both successful and unsuccessful attempts This can extend backwards further by adjusting the Timestamp variable.

 

 

// Find all storage device connection activity in the past day

DeviceEvents

| where ActionType == “PnpDeviceConnected” and Timestamp > ago(1d)

| extend ClassName = parse_json(AdditionalFields).ClassName

| extend DeviceId = parse_json(AdditionalFields).DeviceId

| extend VendorIds = parse_json(AdditionalFields).VendorIds

| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription

| project ClassName, DeviceDescription, Timestamp, DeviceId, VendorIds, DeviceName

| where ClassName contains “drive” or ClassName contains “usb”

 

Query for storage connectivity attempts or mounts

The query below will list ALL Defender clients that have attempted to connect or mount a USB storage device.  This includes both successful and unsuccessful attempts This can extend backwards further by adjusting the Timestamp variable.

 

 

// List all Disk storage connection or mount activities in the past day

DeviceEvents

 | where (ActionType == “UsbDriveMount” or ActionType == “PnpDeviceConnected”) and Timestamp > ago(1d)

 | extend DriveLetter = parse_json(AdditionalFields).DriveLetter

 | extend BusType = parse_json(AdditionalFields).BusType

 | extend ProductName = parse_json(AdditionalFields).ProductName

 | extend ProductRevision = parse_json(AdditionalFields).ProductRevision

 | extend SerialNumber = parse_json(AdditionalFields).SerialNumber

 | extend Manufacturer = parse_json(AdditionalFields).Manufacturer

 | extend ClassName = parse_json(AdditionalFields).ClassName

 | extend Volume = parse_json(AdditionalFields).Volume

 | extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription

 | project Timestamp, DeviceName, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume, ClassName, DeviceDescription, DeviceId

 | where ClassName contains “drive” or ClassName contains “usb” or DriveLetter contains “:”

 

Well that covers it for this edition of USB management control. So unfortunately for Raven, there is no way for her to define “Critters allowed in the yard” but there are built-in control features available for Windows desktop and server admins to control what USB devices can be plugged into managed devices.

 

 

Reference

 

 

 

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.