Microsoft Defender for Endpoint Device Control frequently asked questions
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
This article provides answers to frequently asked questions about device control removable storage capabilities in Microsoft Defender for Endpoint.
How do I generate GUID for Group ID/PolicyRule ID/Entry ID?
You can generate the GUID through online open source or by using PowerShell. For more information, see How to generate GUID through PowerShell.
What are the removable storage media and policy limitations?
The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.
Why doesn't the policy work?
The most common reason is there's no required anti-malware client version.
Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the sample file (select Raw and then Save as), and then update.
If you're deploying and managing the policy by using Group Policy, make sure to combine all policy rules into one XML file within a parent node called PolicyRules
. Also, combine all groups into one XML file within a parent node called Groups
. If you're managing devices with Intune, keep separate XML files for each group and policy when deploying as Custom OMA-URI
.
The device (machine) should have a valid certificate. Run the following command on the machine to check:
Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe
If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command:
"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles
Why is there no configuration UX for some policy groups?
There is no configuration UX for Define device control policy groups and Define device control policy rules on your Group Policy. But, you can still get the related .adml
and .admx
files by selecting Raw and Save as at the WindowsDefender.adml and WindowsDefender.admx files.
How do I confirm that the latest policy has been deployed to the target machine?
You can run the PowerShell cmdlet Get-MpComputerStatus
as an administrator. The following value will show whether the latest policy has been applied to the target machine.
How can I know which machine is using out of date anti-malware client version in the organization?
You can use following query to get anti-malware client version on the Microsoft 365 security portal:
//check the anti-malware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
How do I find the media property in the Device Manager?
Plug in the media.
Open Device Manager.
Locate the media in the Device Manager, right-click, and then select Properties.
Open Details, and then select Properties.
Another way is to deploy an Audit policy to the organization, and see the events in advanced hunting or the device control report.
How do I find Sid for Microsoft Entra group?
Different from Microsoft Entra groups, the Sid is using Object Id for Microsoft Entra group. You can find the Object Id from Azure portal.
Why is my printer blocked in my organization?
The Default Enforcement setting is for all device control components, which means if you set it to Deny
, it will block all printers as well. You can either create custom policy to explicitly allow printers or you can replace the Default Enforcement policy with a custom policy.
Why is creating a folder not blocked by File system level access?
Creating an empty folder will not be blocked even if File system level access Write access Deny is configured. Any non-empty file will be blocked.
Why is my USB still blocked with an allow-ready policy?
Some specific USB devices require more than Read access, the following list shows some examples:
- To Read access some Kingston encrypted USBs requires Execute access for its CDROM.
- To Read access some WD My Passport USBs requires Disk level Write access. For this case, if you want to deny Write access, you should use the File system level access
The best way to understand this is to check the event on the Advanced hunting which will clearly show what accessMask is required.
Can I use both Group Policy and Intune deploy policies?
You can use Group Policy and Intune to manage device control, but for one machine, use either Group Policy or Intune. If a machine is covered by both, device control will only apply the Group Policy setting.
Is device control available in Microsoft Defender for Business?
Yes, for Windows and Mac.
To set up device control on Windows, use attack surface reduction rules in Defender for Business. You'll need Microsoft Intune. The standalone version of Defender for Business does not include Intune, but it can be added on. Microsoft 365 Business Premium does include Intune. See Microsoft Defender for Endpoint Device Control Removable Storage Access Control.
To set up device control on Mac, use Intune or Jamf. See Device Control for macOS.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.