Windows Defender ATP now offers protection for USB and removable devices

When it comes to threats and data protection involving removable devices, Microsoft seems to have a solution in the name – Windows Defender Advanced Threat Protection (ATP). The company says that Windows Advanced ATP now offers complete protection for USB and removable devices against threats and data loss.

Removable devices like USB flash drives have long been used to spread malware and virus. While there are antivirus solutions that scan drives before they can be used, comprehensive protection is still what everybody wants. You never know what an external device carrying a targeted malware can do to a company network.

Data security is another teething issue with USB flash drives as you have no control over them once they are unplugged. Especially for Enterprises where employees carry sensitive information like client data on flash drives that are often lost or misused by competitor/hacker.

As Windows Defender ATP Team mentions on the company cloud blog, Windows Defender ATP prevent threats and data loss by,

  • Reducing your attack surface area blocking an individual or group of users or machines from using all, specific, or only certain removable devices.
  • Enabling threat protection technologies such as
  • Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware
  • The Exploit Guard Attack surface reduction rule that blocks untrusted and unsigned processes that run from USB
  • Kernel DMA Protection for Thunderbolt to block Direct Memory Access (DMA) until the user logs-on
  • Enabling data loss prevention technologies, such as BitLocker and Windows Information Protection.
  • Detecting plug-and-play connected events with advanced hunting to identify suspicious usage or perform internal investigations and create custom alerts using the custom detection rule feature in Windows Defender ATP.

Windows Defender ATP prevents unauthorized data access in removable devices

Since it is impossible to control people who plug in devices with unknown history, you can instead prevent any removable device from being seen and interacted with by blocking users from using any removable device on the machine. To further refine this feature, you can block only certain, defined external devices from being used on certain machines or by certain users.

With BitLocker, you can prevent others to access the data that went along with your lost or stolen USB flash drive. When you attempt to plug in a device that has been encrypted with BitLocker, any files added to the device are automatically encrypted. So, now if someone tries to access those files on that removable drive by plugging it into another, untrusted computer, they will be prompted to decrypt the removable drive. They won’t be able to do this without a recovery key, password, or smart card, which only company employees have.

With Windows Information Protection, users are prevented from copying sensitive information, and from running files that belong to unknown or untrusted apps. This means users that try to copy sensitive or confidential-marked materials will be prevented from doing so and will be notified depending on the level of enforcement.

Windows Defender ATP USB

With Windows Defender ATP, it can also become a bit complicated to know which actual devices you should block, and when and what users to prevent using removable devices. Microsoft says that you can deploy the protections in specific Active Directory or Intune groups to restrict the controls to certain groups.

For more details and support information, visit Windows Defender ATP team blog here.

Posted by with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.