Category: Windows

Blocking USB devices on Windows with an Intune Endpoint Security policy

There are a number of ways to block USB devices using Intune. The following method uses an Endpoint Security Policy.

image

Navigate to https://endpoint.microsoft.com and select Endpoint security from the menu on the left as shown above.

Then select Attack surface reduction from the options that appear on the right as shown above.

image

Select Create policy.

Select Platform as Windows 10 and later as shown.

Select Profile as Device Control as shown.

Select Create in the bottom right.

image

Give the policy a meaningful name and description.

Select Next to continue.

image

Under the System > Device Installation > Device Installation Restrictions heading locate the Prevent installation of removable devices item and set this to Enabled as shown above.

Select Next to continue.

image

Scroll down the list of available settings to locate the Device Control section as shown. To prevent ANY new USB from installing ensure this option is set to Not configured.

Select Next to continue.

image

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

image

On the summary screen, expand the Administrative Templates option as shown. In here you should see that Prevent installation of removable devices is set to Enabled.

Select Create.

image

The created policy should now be listed as shown above. Click on it to view.

image

When the policy has been successfully applied to the devices the policy was assigned to you should see the status of devices as shown above.

Select View report button.

image

You should now see all the listed that have this policy applied to them as shown above.

Screenshot 2023-03-20 145033

If you now try and plug in an unknow USB storage device you may see the above warning. In other cases, you will see no warning but USB device storage will be blocked.

Some points to remember:

1. The above policy is only designed for Windows 10 and above

2. The above policy won’t prevent USB storage devices that have already been used on an endpoint. These need to be removed from the device manager on the device to be blocked in future.

3. Some USB devices that don’t appear as storage devices in fact have a small amount of storage on them (for video and projector drivers for example). These will also be blocked.

4. You can create exceptions to this policy via the device id if you wish.

Blocking web sites with Defender for Cloud Apps

Link to video = https://www.youtube.com/watch?v=CQOcUrS93FA

Thanks to the integration between Microsoft Edge browser, Cloud Apps Discovery (which is part of Defender for Cloud Apps) and Defender for Endpoint you can quickly and easily block most web based applications. In the example I prevent Facebook access on a Windows 11 device using the Edge browser. It is important to note that this blocking capability currently won’t work with third party browsers, however there are other ways of blocking sites with these browsers using other methods that are not covered in this video.

[CORRECTION] – Please note that in the video I may have indicated that this is possible with Microsoft 365 Business Premium. By default, it is not. Apologies for the confusion I may have caused here

Enhanced phishing protection in Windows 11 22H2

image

If you have Windows 11 22H2 and you take a look at your Windows Security settings under App & Browser control, you’ll find some new settings in Reputation-based protection as shown above.

You can read about these here:

Enhanced Phishing Protection in Microsoft Defender SmartScreen

If you want to enable these settings using an Intune Device policy you can do so using the Settings Catalog like so:

image

Remember, at the moment, you need Windows 11 22H2 to configure this.

Windows 11 Hyper V Guest configuration

If you need to create a Windows 11 Hyper V guest machine You’ll need to ensure:

1. You create it as a Generation 2 machine

image

2. Once you have completed the normal set up process of assigning disks and setting up the machine, make sure you don’t power up the machine, but instead go into the Settings for that machine.

image

Select Security and ensure Enable Secure Boot and Enable Trusted Platform Module are checked.

3. Navigate to Processor

image

and ensure the Number of processors is at least 2.

With those basic settings in place you should now be able to install and run a Windows 11 Hyper V guest

image

Edge enhanced security

image

A new security option in Microsoft Edge.You’ll find it in Settings | Privacy, search and services as shown above. Three levels are available once you enable it (it is disabled by default).

What is does according to the documentation is:

Enhanced security in Microsoft Edge helps safeguard against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser.

and more information is found here:

Enhance your security on the web with Microsoft Edge

There is also the option to white list certain URLs if required.

So, if you want a bit more security when using Edge, turn it on! I have.


Cloud file productivity using Windows Quick Access

Here’s a productivity tip I use to make navigating cloud file location easier on Windows 10 desktops.

image

After have set up any synced locations, like my OneDrive, SharePoint, Teams, etc,  I then locate a frequent folder I need in a cloud location. Here that folder is Customers on my OneDrive for Business. I then right mouse click on that folder and select the option Pin to Quick access as shown above.

image

You should then see that folder in the Quick access area in the top left of Windows Explorer as shown above.

image

Now, if I want to attach an email from that location I can simply browse to a location (web or local doesn’t really matter), because whenever you get Windows Explorer, you also get your Quick access.

image

from which you navigate to the file you need via Quick access in the top left of Windows Explorer. Quick and easy.

image

Because Windows wants to be ‘helpful’ and add recent locations to Quick access by default, I want to disable that so this area doesn’t become cluttered. I want Quick access just to contain the stuff I put in there, nothing else.

To achieve this, I go into the properties of Windows Explorer and in the General tab, under Privacy, I uncheck both options (Show recently used files in Quick access and Show frequently used folder in Quick access) as shown above.

I like to keep my Quick access as small as possible and therefore remove anything that isn’t relevant to my day to day work (i.e. the shortcuts to stuff like Media and Movies).

I haven’t seen many people use Quick access on Windows desktops but I find that once you set it up it is invaluable as it pops up anytime you need to work with files. You can also add, remove and edit over time to customise to your exact needs. For example, if I’m working on a project, I add that location for the duration of time I’m working on that project. This make access very fast and easy.

Hopefully, this productivity approach may also help you when working with files from the cloud.

Teams on the web failing to login

2022-04-04_12-27-42

(Be patient, the video might take a few moments to load)

I recently had an issue accessing Microsoft Teams using a web browser even after logging into Microsoft 365. I could get to just about everything else but Teams, which always threw up a login dialog as shown above.

The issue turned out to be the time of the local device which hadn’t updated for some reason after a change to daylight savings time. Thus, the local devices (Windows 11) for some reason was one hour ahead. After changing this so the workstation had the correct time, everything worked as expected.

Hopefully,this helps someone else who is searching for this strange one.