Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions

Applies to:

This article provides answers to frequently asked questions about device control removable storage capabilities in Microsoft Defender for Endpoint.

How do I generate GUID for Group ID/PolicyRule ID/Entry ID?

You can generate the GUID through online open source or by using PowerShell. For more information, see How to generate GUID through PowerShell.

Screenshot of GUID in PowerShell.

What are the removable storage media and policy limitations?

The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.

Why doesn't the policy work?

The most common reason is there's no required anti-malware client version.

Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the sample file (select Raw and then Save as), and then update.

If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called PolicyRules. Also combine all Groups into one XML file within a parent node called Groups. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file.

The device (machine) should have a valid certificate. Run the following command on the machine to check:

Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe

Screenshot showing results of Get-AuthenticodeSignature cmdlet.

If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command:

"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles

Why is there no configuration UX for some policy groups?

There is no configuration UX for Define device control policy groups and Define device control policy rules on your Group Policy. But, you can still get the related .adml and .admx files by selecting Raw and Save as at the WindowsDefender.adml and WindowsDefender.admx files.

How do I confirm that the latest policy has been deployed to the target machine?

You can run the PowerShell cmdlet Get-MpComputerStatus as an administrator. The following value will show whether the latest policy has been applied to the target machine.

Screenshot showing device control status in PowerShell.

How can I know which machine is using out of date anti-malware client version in the organization?

You can use following query to get anti-malware client version on the Microsoft 365 security portal:

//check the anti-malware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc

How do I find the media property in the Device Manager?

  1. Plug in the media.

  2. Open Device Manager.

    Screenshot of Device Manager.

  3. Locate the media in the Device Manager, right-click, and then select Properties.

    Screenshot of media in the Device Manager.

  4. Open Details, and select Properties.

    Screenshot of right-click menu for disk drives in Device Manager.

How do I find Sid or ComputerSid for Azure AD group?

Different from AD group, the Sid or ComputerSid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.

image