A common request from information security teams is the ability to block mass storage devices. As every security defender knows, you cannot draw a hard line and block EVERY USB mass storage device. E...
Updated Jun 08, 2022
Version 2.0
Blog Post
Glenn Van Rymenant , ajawzero , thank you both for confirming and for the sanity check. I had initially followed the steps in the following link to deploy via GP, by providing the path as shown in the screenshots, and I can indeed see the file paths being written as the value in the registry.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/bc-p/3029472#M1585
I am not seeing the content of the files themselves as Andy (and the youtube vid) find when the deploy via MEM. Additionally, the desired behavior of blocking USB storage is not happening.
I would have to believe that the parsed contents would have to be written when deployed via GP, otherwise, how would the machine know the policy when it's not on the network with access to the share. I believe what I should be observing is the contents written out at "\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager", as both of you have witnessed and as demonstrated in the vid, regardless of how it was deployed. We've put in a ticket with Microsoft, but it's strange behavior that I can't find documentation for in these early days of this feature. Thanks again to both of you for your feedback. This feature is very compelling, hence our desire to get this figured out!