Edit

Deploy and manage device control in Microsoft Defender for Endpoint using Group Policy

  • Article

Applies to:

If you're using Group Policy to manage Defender for Endpoint settings, you can use it to deploy and manage device control.

Enable or disable removable storage access control

Screenshot of enable disable rsac.

  1. On a device running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control.

  2. In the Device Control window, select Enabled.

Note

If you don't see these Group Policy Objects, you need to add the Group Policy Administrative Templates (ADMX). You can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from mdatp-devicecontrol / Windows samples in GitHub.

Set default enforcement

You can set default access such as, Deny or Allow for all device control features, such as RemovableMediaDevices, CdRomDevices, WpdDevices, and PrinterDevices.

Screenshot of set default enforcement.

For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. If you set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices is blocked. If you only want to manage storage, make sure to create Allow policy for printers. Otherwise, default enforcement (Deny) is applied to printers, too.

  1. On a device running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement Policy.

  2. In the Select Device Control Default Enforcement Policy window, select Default Deny.

Configure device types

Screenshot of configure device types.

To configure the device types that a device control policy is applied, follow these steps:

  1. On a computer running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Turn on device control for specific device types.

  2. In the Turn on device control for specific types window, specify the product family IDs, separate by a pipe (|). Product family IDs include RemovableMediaDevices, CdRomDevices, WpdDevices, or PrinterDevices.

Define groups

Screenshot of define groups.

  1. Create one XML file for each removable storage group.

  2. Use the properties in your removable storage group to create an XML file for each removable storage group.

  3. Save each XML file to your network share.

  4. Define the settings as follows:

    1. On a device running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.

    2. In the Define device control policy groups window, specify the network share file path containing the XML groups data.

You can create different group types. Here's one group example XML file for any removable storage and CD-ROM, Windows portable devices, and approved USBs group: XML file

Note

Comments using XML comment notation <!--COMMENT--> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

Define Policies

Screenshot of define policies.

  1. Create one XML file for access policy rule.

  2. Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule.

  3. Save the XML file to network share.

  4. Define the settings as follows:

    1. On a device running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.

    2. In the Define device control policy rules window, select Enabled, and then specify the network share file path containing the XML rules data.

Note

Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

Set location for a copy of the file (evidence)

Screenshot of set location for a copy of the file.

If you want to have a copy of the file (evidence) having Write access, set right Options in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.

  1. On a device running Windows, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define Device Control evidence data remote location.

  2. In the Define Device Control evidence data remote location window, select Enabled, and then specify the local or network share folder path.

Retention period for local evidence cache

Screenshot of retention period for local cache.

If you want to change the default value of 60 days for persisting the local cache for file evidence, follow these steps:

  1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Set the retention period for files in the local device control cache.

  2. In the Set the retention period for files in the local device control cache window, select Enabled, and then enter the number of days to retain the local cache (default 60).

See also