Forum Discussion
Device Control via Endpoint Security > Attack Surface Reduction > Device Control in Intune
Hi,
I have spent the last 2 days testing configuring USB Device Control for devices in Intune. I initially used the OMA-URI method that involves manual creation of XML files (Yuck!) managed to get that working successfully.
With the knowledge gained from that experience I switched my approach to try and apply the identical configuration using a Device Control policy created via Endpoint Security > Attack Surface Reduction > Device Control in Intune instead. This should be far easier I thought as you remove the error prone manual processes involved with the OMA-URI method (creation of multiple XML files, multiple GUIDs, cross referencing GUIDs, DeviceIDs with character substitutions required, OMA URI's with character substitutions required etc).
The issue I am having is that it appears my new Device Control policy isnt working?
The policy is configured as below:
Reusable Settings
All Removable Media Devices - defined using Primary ID - "RemovableMediaDevices"
Sandisk - defined using Friendly name - "SanDisk Cruzer Edge USB Device"
Policy configured within Device Control
Device Control - Enabled
Name - USBDeviceControl
Included ID - All Removable Media Devices
Excluded ID - Sandisk
Entry - Name - USBDeviceControl, Type:Deny, Options:None, AccessMask: Write,Execute, Sid:<blank>, Computer Sid:<blank>
After reviewing the local event logs on a test device, I can see an error relating to the policy rules file that is (I assume) automatically created in the back end via the GUI in the Device Control interface. Specifically, the error contains the details below:
Event ID: 404
MDM ConfigurationManager: Command Failure Status.
CSP URI: (./vendor/msft/defender/configuration/devicecontrol/policyrules/<policy guid>)
Result: (Invalid class string)
As far as I can see I have configured everything correctly, but this isnt working? The only difference with my current config compared to my working OMA-URI config was I have defined the allowed USB device using the Friendly name in the Device Control policy as I wasnt sure if when you specify the Instance ID in reusable settings the interface can handle the "&" or if you need to amend it to "&" as you do when you use the OMA-URI method.
Has anyone here successfully used Device Control policies in Endpoint Security to manage USB devices? Tewang_Chen
- pariswellsCopper ContributorGetting the exact error, even with PrimaryID of just RemovableMediaDevices
- keith-madCopper ContributorI spent last week trying to complete the exact same steps as you. My custom OMA-URI config profiles apply without a hassle, the minute I try to configure the 'new' Endpoint Security -> Device Control settings I can't apply a policy. I was bashing my head against a wall all last week and finally threw in the towel on Friday evening when I couldn't get a policy to apply.
It's good to know someone else can't apply via the new UI settings. I created reusable settings like you have, left the SID open, and then manually added a SID to see if it would work. Nothing worked in the end.
Sorry, this reply probably isn't the one you were looking for, I just needed to tell you I spent a solid 8-10 hours trying to configure different settings and couldn't get it working. OMA-URIs are the only reliable setting for Device Control at the moment in my eyes.- PJR_CDFIron Contributor
Thanks so much for taking the time to let me know. I now have an open support case with MS (who also got a similar issue when trying to replicate my scenario) so will post the outcome here.
- PJR_CDFIron Contributor
MS have now confirmed this a known issue internally and it's assigned to engineering for resolution, however as the feature is still in Preview there is no ETA for a fix.
Other people reporting the same issue in the comments in this article:
https://techcommunity.microsoft.com/t5/intune-customer-success/new-device-control-capabilities-to-manage-removable-storage/ba-p/3664726
- KaHoeCopper ContributorFunny part is that I realised your thread when working myself into RSAC the last two days, but did not remember it when I ran into the same issue. Now that I read it again... Better memory could have saved me a few hours...
Can't really bother doing that with OMA-URI. Hope they fix it soon. I bet the device class field is not written correctly into the variable and there is some development test stuff written into it. - keith-madCopper ContributorDoes anybody know if this has been fixed yet?
- PJR_CDFIron Contributorfeedback from my support case last week is it's not fixed yet.
I tried it again yesterday to test and it was still broken with the same error 😞- keith-madCopper ContributorHello PJR_CDF I have managed to deploy a simple Device Control Block policy using the new Reuseable settings. They seemed to have fixed something in the backend. I have deployed a BlockAll USB policy using ReuseableSettings and it has worked. I have not tested anything else in terms of allowing certain USBs, or complex DC policies.
Hopefully Microsoft has fixed it all.