Microsoft Defender for Endpoint Device Control Removable Storage Protection
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Device control removable storage protection in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media.
Removable storage access control
Capabilities
- Audit Read or Write or Execute access to removable storage based on various device properties, with or without an exclusion.
- Prevent Read or Write or Execute access with or without an exclusion - Allow specific device based on various device properties.
To manage external storage, use removable storage access control instead of device installation.
Windows 10 and Windows 11 support details
- Applied at either the device level, user level. or both. Only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.
- Support Intune OMA-URI and GPO.
- For Windows devices, see Removable storage Access Control.
Supported Platform
- Windows 10, Windows 11
macOS support details
- Applied at the device level: the same policy applies for any logged on user.
- For macOS specific information, see Device control for macOS.
Supported platform
- macOS 11 (Big Sur) or later
Device installation
Capabilities - Prevent installation with or without exclusion based on various device properties.
Windows 10 and Windows 11 support details:
- Applied at the device level: the same policy applies for any logged on user.
- Supports Microsoft Configuration Manager and Group Policy Objects.
- For more information on Windows, see How to control USB devices and other removable media using Microsoft Defender for Endpoint.
Supported Platform
- Windows 10, Windows 11
macOS support details
- Applied at the device level: the same policy applies for any logged on user
- For macOS specific information, see Device control for macOS.
Supported platform
- macOS 11 (Big Sur) or later
Endpoint DLP Removable storage
Capabilities
- Audit, warn, or prevent a user from copying an item or information to removable media or USB device.
Description
Supported Platform
- Windows 10, Windows 11
BitLocker
Capabilities
- Block data to be written to removable drives that aren't BitLocker protected.
- Block access to removable drives unless they were encrypted on a computer owned by your organization
Description
Supported Platform
- Windows 10, Windows 11
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Submit and view feedback for