Using Intune and Azure Automation to protect USB Access

Introduction

USB devices and external media continues to pose a very real and immediate threat to businesses around the world, introducing a potential attack vector for malicious files from keyloggers to ransomware. Whilst it’s easy to say to disable USB media entirely, sometimes it is not possible to do so - particularly where external media is used by your suppliers or vendors to share media in an encrypted format.

With this in mind, we can instead leverage tools such as Intune and Azure Automation to lock down external media with a temporary override instead. In this post, I will detail how you can lock down USB access in your organization, whilst allowing a temporary override group, and automatically clear down the override on an Azure Automation schedule.

Creating the lock-down policy

First, we need to create our default deny policy which will be used to deny all access to external media. This will become the standard policy, and we will override this with our temporary group.

To do this, in https://intune.microsoft.com/ we will go to Endpoint Security > Attack Surface Reduction. Create a new policy, in my lab I will name this PROD | DEFAULT Block USB Drives since this is the default state for my use case.

Under the configuration settings, select Device Control > Block Removable Storage (set to YES). This will be assigned to All Users - It is important here that we exclude a temporary allow group (In my case, this is called SEC-USBTempAllow) as these users should be allowed to access USBs.

With the exclusion group in place, we need a second policy which will cover these users. Therefore, create another policy called USB Temp Allow. In this one, we configure the settings as follows:

Administrative Templates

System > Removable Storage Access
WPD Devices: Deny read access | Disabled
WPD Devices: Deny read access (User) | Disabled
WPD Devices: Deny write access | Disabled
WPD Devices: Deny write access (User) | Disabled

This will be assigned to our Temp Allow group - I have named mine SEC-USBTempAllow.

Force Bitlocker for the Temporarily Accessed USB Storage Devices

Finally, under Devices > Windows > Configuration Profiles we will create a policy to force Bitlocker on all removable media that our users write to. To do this, create a new profile - I have called mine Bitlocker Go Encryption.

The configuration settings will be Windows Encryption

Write access to removable data-drive not protected by BitLocker : Block
Write access to devices configured in another organization : Block

The assignment for this policy will be SEC-USBTempAllow, meaning that when a user is allowed access to USBs it will also force Bitlocker requirement.

Then, we need to create our group that is always allowed access to USBs. This may be because these users are often creating media or reviewing media that comes in from a third party. In our case, we have named this group SEC-USB-MediaOperators and I have assigned an access review to this group as follows:

Access Review

Name: USB Media Operators | Monthly Review
Resource: SEC-USB-MediaOperators
Recurrence: Monthly

This group is then nested into SEC-USBTempAllow so that they pick up the policies for USB allowance and for Bitlocker enforcement.

I advise that you use an access review and restrict who can amend this group, as this access should be kept as minimal as possible in line with the principle of least-privilege.

Azure Automation

Finally, we make all of this possible by leveraging an Azure Automation which automatically clears down the SEC-USBTempAllow group. To do this, navigate to https://portal.azure.com/ and search for Automation Accounts. Our automation accounts follow a specific naming sequence, but you can name yours as you wish.

We will create a new Runbook under this account (again, named as you see fit) and enter the below code:

    # Ensures you do not inherit an AzContext in your runbook
    Disable-AzContextAutosave -Scope Process

    # Connect to Azure with system-assigned managed identity
    $AzureContext = (Connect-AzAccount -Identity).context
    #write-output "set and store azure-context"
    
    $GroupID = "Your USB Temp Allow Group ObjectID goes here"
    $GroupToClean = (Get-AzADGroupMember -GroupObjectId $GroupID)
    ForEach($Member in $GroupToClean)
        {
            $Member_ID = $Member.Id
            if ($Member_ID -ne "Your USB Media Operators Group ObjectID goes here") {
            Remove-AzADGroupMember -MemberObjectId $Member_ID -GroupObjectId $GroupID
            write-output "User: $($Member.displayName) removed from group"
        }
        #Nobody to remove
        Exit 1
        }

Azure Automation for the USB Temp Allow group cleardown on schedule.

You can schedule this as you like. We run ours every Friday to ensure that the group is cleared down weekly.

And that’s it! You have created a USB lockdown policy with enforced Bitlocker and an automated script which will clear out your temporary group as per your Automation schedule.

If you have any queries or feedback, please join our discussion on the forums!