Skip to content

Latest commit

 

History

History
311 lines (228 loc) · 12.2 KB

Audit File Information.md

File metadata and controls

311 lines (228 loc) · 12.2 KB
Raw

Device control policy sample: File Evidence

Description: This is a policy {'oma_uri': {'./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb8615f3d-a41e-4c70-a70a-88e7b7aa7768%7D/RuleData': <devicecontrol.IntuneCustomRow object at 0x000002AE247A24B0>, './Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData': <devicecontrol.IntuneCustomRow object at 0x000002AE24041B50>, './Vendor/MSFT/Defender/Configuration/DeviceControlEnabled': <devicecontrol.IntuneCustomRow object at 0x000002AE247A27E0>, './Vendor/MSFT/Defender/Configuration/DefaultEnforcement': <devicecontrol.IntuneCustomRow object at 0x000002AE247A2F90>, './Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory': <devicecontrol.IntuneCustomRow object at 0x000002AE247A2DE0>}, 'web_paths': ['windows/device/Group Policy/Any Removable Storage and CD-DVD and WPD Group.xml', 'windows/device/Group Policy/Audit File Information.xml'], 'rules': {'{b8615f3d-a41e-4c70-a70a-88e7b7aa7768}': <devicecontrol.PolicyRule object at 0x000002AE2275DEB0>}, 'groups': {'{9b28fae8-72f7-4267-a1a5-685f747a7146}': <devicecontrol.Group object at 0x000002AE24593EF0>}, 'intune_ux_support': <devicecontrol.Support object at 0x000002AE247A0E00>, 'groupsXML': '\n\t\n\t\t\n\t\tAny Removable Storage and CD-DVD and WPD Group_1\n\t\tMatchAny\n\t\t\n\t\t\tRemovableMediaDevices\n\t\t\tCdRomDevices\n\t\t\tWpdDevices\n\t\t\n\t\n', 'rulesXML': '\n\t\n\t\t\n\t\tAudit File Information\n\t\t\n\t\t\t{9b28fae8-72f7-4267-a1a5-685f747a7146}\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\tAllow\n\t\t\t16\n\t\t\t16\n\t\t\n\t\n', 'mac_policy': None, 'mac_error': 'Primary ID [CdRomDevices] is not supported on macOS.', 'windows_support': <devicecontrol.Support object at 0x000002AE247A1DF0>, 'entry_type': <devicecontrol.WindowsEntryType object at 0x000002AE24590E60>, 'description': <main.Description object at 0x000002AE246E9C70>}
Device Type: Windows Removable Device

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Disk Read Disk Write Disk Execute File Read File Write File Execute
Audit File Information
  • Group: Any Removable Storage and CD-DVD and WPD Group_1 (details)
    		Allow - - - - - Create file evidence without file (16) -

    Groups

    Any Removable Storage and CD-DVD and WPD Group_1

    This is a group of type Device. The match type for the group is MatchAny.

    Property Value
    PrimaryId RemovableMediaDevices
    PrimaryId CdRomDevices
    PrimaryId WpdDevices
    View XML 
    <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
	<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrimaryId>RemovableMediaDevices</PrimaryId>
		<PrimaryId>CdRomDevices</PrimaryId>
		<PrimaryId>WpdDevices</PrimaryId>
	</DescriptorIdList>
</Group>

    Settings

    Setting Name Setting Value Documentation
    DeviceControlEnabled True documentation
    DefaultEnforcement Allow documentation
    DataDuplicationDirectory Enter the directory to store files locally documentation

    Files

    This policy is based on information in the following files:

    Deployment Instructions

    Device control policy rules and groups can be deployed through the following management tools:

    Windows

    Intune UX

    Create a reusable setting for Any Removable Storage and CD-DVD and WPD Group_1

    1. Navigate to Home > Endpoint Security > Attack Surface Reduction

    2. Click on Reusable Settings

    3. Click (+) Add

    4. Enter the Any Removable Storage and CD-DVD and WPD Group_1 for the name.

    5. Optionally, enter a description

    6. Click on "Next"

    7. Set the match type toggle to MatchAny

    8. Click "Next"

    9. Click "Add"

    Create a Device Control Rules configuration profile
    1. Navigate to Home > Endpoint Security > Attack Surface Reduction
    2. Click on "Create Policy"
    3. Under Platform, select "Windows 10 and later"
    4. Under Profile, select "Device Control Rules"
    5. Click "Create"
    6. Under Name, enter **
    7. Optionally, enter a description
    8. Click "Next"
    Add a rule for Audit File Information to the policy

    1. Click on "+ Set reusable settings" under Included Id

    2. Click on Any Removable Storage and CD-DVD and WPD Group_1

    3. Click on "Select"

    4. Click on "+ Edit Entry"

    5. Enter Audit File Information for the name

    6. Select Allow from "Type"

    7. Select Create file evidence without file from "Options"

    8. Select ** from "Access mask"

    9. Click "OK"

    Group Policy (GPO)

    Define device control policy groups
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
    2. Save the XML below to a network share.
    <Groups>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData -->
		<Name>Any Removable Storage and CD-DVD and WPD Group_1</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
			<PrimaryId>CdRomDevices</PrimaryId>
			<PrimaryId>WpdDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>
    1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
    Define device control policy rules
    1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
    2. Save the XML below to a network share.
    <PolicyRules>
	<PolicyRule Id="{b8615f3d-a41e-4c70-a70a-88e7b7aa7768}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb8615f3d-a41e-4c70-a70a-88e7b7aa7768%7D/RuleData -->
		<Name>Audit File Information</Name>
		<IncludedIdList>
			<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{ae40741a-cc96-42b7-9dab-f5ba59adef8a}">
			<Type>Allow</Type>
			<AccessMask>16</AccessMask>
			<Options>16</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
    1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Intune Custom Settings

    Create custom intune configuration
    1. Navigate to Devices > Configuration profiles
    2. Click Create (New Policy)
    3. Select Platform "Windows 10 and Later"
    4. Select Profile "Templates"
    5. Select Template Name "Custom"
    6. Click "Create"
    7. Under Name, enter **
    8. Optionally, enter a description
    9. Click "Next"
    Add a row for Audit File Information

    1. Click "Add"

    2. For Name, enter Audit File Information

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bb8615f3d-a41e-4c70-a70a-88e7b7aa7768%7D/RuleData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows\device\Intune OMA-URI\audit_file_information{b8615f3d-a41e-4c70-a70a-88e7b7aa7768}.xml

    7. Click "Save"

    Add a row for Any Removable Storage and CD-DVD and WPD Group_0

    1. Click "Add"

    2. For Name, enter Any Removable Storage and CD-DVD and WPD Group_0

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B9b28fae8-72f7-4267-a1a5-685f747a7146%7D/GroupData

    5. For Data type, select String (XML File)

    6. For Custom XML, select windows\device\Intune OMA-URI\Any Removable Storage and CD-DVD and WPD Group.xml

    7. Click "Save"

    Add a row for DeviceControlEnabled

    1. Click "Add"

    2. For Name, enter DeviceControlEnabled

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"

    Add a row for DefaultEnforcement

    1. Click "Add"

    2. For Name, enter DefaultEnforcement

    3. For Description, enter **

    4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

    5. For Data type, select Integer

    6. For Value, enter 1

    7. Click "Save"

    Add a row for DataDuplicationDirectory

    1. Click "Add"

    2. For Name, enter DataDuplicationDirectory

    3. For Description, enter **

    4. For OMA-URI, enter ./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory

    5. For Data type, select String

    6. For Value, enter Enter the directory to store files locally

    7. Click "Save"