Blog Post

Microsoft Defender for Endpoint Blog
7 MIN READ

Protect your removable storage and printers with Microsoft Defender for Endpoint

Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Jul 19, 2021
UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.   External devices such as USB and home printers ...
Updated Aug 26, 2021
Version 5.0
Device control
endpoint dlp
Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Sep 29, 2021

Marek_Dvorak_,  thanks for trying the feature. I see two errors on the XML file:

1. since you are using Group Policy to deploy/manage the policy, you have to put Group into Groups and PolicyRule into PolicyRules:

 - "If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file."

if you are using Intune OMA-URI, then you do not need to put into <PolicyRules> and <Groups >

2. in the PolicyRule, I see the Options value is 1 for the AccessMask == 1 (Read), for Read access, 1/notification is meaningless, you should either remove this Entry or set 2 to have event in advanced hunting.

 

Feel free to take a look at the Q&A section Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Docs, it includes most common issues we have heard from customers.

 

I updated your policy, try and let me know if still not work:

<Groups>
<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>
</Groups>

 

<PolicyRules>
<PolicyRule Id="{d2193a7f-ceec-4729-a72a-fe949639db55}">
<Name>Block removable storage and CdRom</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList />
<Entry Id="{c1adfc3e-0347-4096-88c3-6e0777b2a15b}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>7</AccessMask>
</Entry>
<Entry Id="{fee5f127-951b-4ece-9196-fa1c9ff21678}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>6</AccessMask>
</Entry>
<Entry Id="{ad04437c-e279-41a3-8a1a-b76b7e35bce5}">
<Type>AuditDenied</Type>
<Options>2</Options>
<AccessMask>1</AccessMask>
</Entry>
</PolicyRule>
</PolicyRules>