New device control capabilities to manage removable storage media access in Microsoft Intune

butters sorry I've missed your questions months ago. Well, I can't find it back. I'm starting to think my colleague just told me to do it in that way because he read it somewhere. 

Nevertheless a message to everyone: Microsoft has updated their documentation of this recently in Jan & Feb. Best to read again.

Can someone confirm me that you can just use 1 policy where you then block & allow devices (if you use the include /exclude) correctly? I think it does indeed have to work that way now. If you see my comment above, I made 1 Block policy & 1 Allow policy separately , which still works very good but is a little overkill I start to believe, need to test. I did it like that because with one policy my tests results months ago where not 100%.

Also, watch out, we had a lot of clients where older test policies where tattooed in the registry and newer ones just appended which meant they became corrupt. Luckily we spotted via audit logs that devices where not always allowing/blocking as configured. I opened a case with MS, conclusion was cleaning up registry strings in 'PolicyGroups' & 'PolicyRules' in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager. After another sync, the good policy will then register them again with the correct values.