Deploy and manage Device Control manually

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions.

Licensing requirements

Before you get started with Removable Storage Access Control, you must confirm your Microsoft 365 subscription. To access and use Removable Storage Access Control, you must have Microsoft 365 E3.


This article contains information about third-party tools. This is provided to help complete integration scenarios, however, Microsoft does not provide troubleshooting support for third-party tools.
Contact the third-party vendor for support.

Deploy policy manually

This method is recommended for preproduction environments only. It's available starting with version 101.23082.0018. You can create a policy JSON and try it on a single machine before deploying it via MDM to all users. Microsoft recommends using MDM for production environment.

You can set a policy manually, only if it wasn't set via MDM (as a managed configuration).

Step 1: Create policy JSON

Now, you have groups, rules, settings, combine them into one JSON. Here's the demo file: mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol ( Make sure to validate your policy with the JSON schema so your policy format is correct: mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (

See Device Control for macOS for information about settings, rules, and groups.

Step 2: Apply policy

Use mdatp config device-control policy set --path <full-path-to-policy.json> to apply the policy. You can now try protected operations, or use usual mdatp device-control commands to inspect the effective policy.

> mdatp device-control policy preferences list
|-o UX
| |-o Navigation Target: ""
|-o Features
| |-o Removable Media
|   |-o Disable: false
|-o Global
  |-o Default Enforcement: "allow"

You can edit your policy file, reapply it, and see changes immediately.

Step 3: Undo your changes

To clear the policy, use mdatp config device-control policy reset.

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.