Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions
This article provides answers to frequently asked questions about device control removable storage capabilities in Microsoft Defender for Endpoint.
How do I generate GUID for Group ID/PolicyRule ID/Entry ID?
You can generate the GUID through online open source or by using PowerShell. For more information, see How to generate GUID through PowerShell.
What are the removable storage media and policy limitations?
The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.
Why doesn't the policy work?
The most common reason is there's no required anti-malware client version.
Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the sample file (select Raw and then Save as), and then update.
If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called
PolicyRules. Also combine all Groups into one XML file within a parent node called
Groups. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file.
The device (machine) should have a valid certificate. Run the following command on the machine to check:
If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command:
"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles
Why is there no configuration UX for some policy groups?
There is no configuration UX for Define device control policy groups and Define device control policy rules on your Group Policy. But, you can still get the related
.admx files by selecting Raw and Save as at the WindowsDefender.adml and WindowsDefender.admx files.
How do I confirm that the latest policy has been deployed to the target machine?
You can run the PowerShell cmdlet
Get-MpComputerStatus as an administrator. The following value will show whether the latest policy has been applied to the target machine.
How can I know which machine is using out of date anti-malware client version in the organization?
You can use following query to get anti-malware client version on the Microsoft 365 security portal:
//check the anti-malware client version DeviceFileEvents |where FileName == "MsMpEng.exe" |where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\" |extend PlatformVersion=tostring(split(FolderPath, "\\", 5)) //|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion |summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion |order by PlatformVersion desc
How do I find the media property in the Device Manager?
Plug in the media.
Open Device Manager.
Locate the media in the Device Manager, right-click, and then select Properties.
Open Details, and select Properties.
How do I find Sid or ComputerSid for Azure AD group?
Different from AD group, the Sid or ComputerSid is using Object Id for Azure AD group. You can find the Object Id from Azure portal.
Submit and view feedback for