Intune - Block mounting of ISO files

This short article was actually written last year but never published because Microsoft started applying Mark of the Web to virtual disk formats including ISO files in November. At the time, I didn't feel it was necessary anymore...

But this week, there's been a renewed interest in this thanks to The DFIR Report's article detailing a compromise from September, prior to the patches being released. I was a little confused when Justin shared this because I jumped straight to the summary... so I assumed there was some bypass that wasn't detailed :-/

Since it may still be relevant for someone out there (though not entirely necessary anymore), I've decided to go ahead and publish it anyway.

In case you missed it last year, Rob Fuller did some great research on ways to prevent ISO files from being mounted, and I thought it might be helpful to show the various ways we can do this using Intune :)

Blocking ISO mounting
**Update: 10/Update: 9/6/2022First, I corrected the misspelling of ProgrammaticAccessOnly - thanks Josh!Second, I added SCSI\CdRomMsft____Virtual_DVD-ROM_ into the blog post to make it easier to copy/pasteFinally, if you are following the below process of blocking ISOs using the SCSI\CdRomMsft__…

Rob mentioned using Group Policy, and we could definitely use Administrative Template profiles with the same controls. Alternatively, we could use Settings Catalog or using a Device Control profile under Endpoint security - Attack surface reduction.

Here are some screenshots to hopefully help folks see where / how we would implement these policies. The value that we use in the policy is:

SCSI\CdRomMsft____Virtual_DVD-ROM_

Administrative Templates profile

Settings Catalog

Device Control profile