Removable Media (Device Control)

CMMC Control Mapping Matrix

To satisfy NIST 3.8.1 and 3.8.7 with SOC visibility, we replace the standard Administrative Template blocks with a granular, XML-based Device Control policy. This requires a two-part setup: a Reusable Setting (the allowed hardware) and the ASR Profile (the block/audit rules).

Step 1: Create the Reusable Setting (The Whitelist)

1. In the Intune Admin Center, navigate to Endpoint Security > Attack Surface Reduction.
2. Click the Reusable settings tab at the top.
3. Click Add.
4. Name the setting Custom - Device Control - Approved SanDisk USBs.
5. Under Configuration settings, click Add and paste the Approved Hardware XML (containing the Vendor ID and Product ID) detailed in the main architecture chapter.
6. Save the reusable setting.

Step 2: Create the Device Control Profile

1. Return to the Summary tab of Attack Surface Reduction and click Create Profile.
2. Select Platform: Windows 10, later, and Windows Copilot+ PCs.
3. Select Profile: Device Control, then click Create.
4. Name the profile Win - Custom - ES - Device Control (Block & Audit).
5. In the Configuration settings step, locate the Device Control setting and upload the Policy Rule XML (the file that blocks writes and generates the AuditDenied SOC alert).
6. Under the Included ID List or Excluded ID List section of the UI, click Select reusable settings and link the Approved SanDisk USBs group you created in Step 1.
7. Click Review + save and assign to your deployment rings.