Forum Discussion
Device control with Defender for Endpoint
Dear all,
I need some help on an issue I have been experiencing with my device control policy recently.
This policy was configured under attack surface reduction rules in Intune and has been working fine until recently.
This policy is used to block all USB ports of corporate machines by default unless they are explicitly allowed. As already mentioned, it works perfectly by blocking all USB ports and we have the option to unblock some if needed.
Now, here is the problem I am recently experiencing:
We have like twenty-five branches located in different countries, and there is only one policy in Intune in place for all the countries, including the head office.
If I exclude a device and allow it to be used in the head office using its serial number, it works fine, but if the same USB stick is connected to a branch office computer, it is blocked again, and there is no conditional access policy configured to warrant such behavior.
I appreciate any help that will lead to solving this issue.
Best regards
Alieu
Here are some screen shots of my policy in Intune:
1.
2.
3
4.
1 Reply
To troubleshoot this:
- Examine the Intune management logs on both working and non-working machines to compare policy application
- Use the Event Viewer (Microsoft-Windows-DeviceGuard-UserMode/Operational) to check for device control events and policy rejections
- Try creating a test policy that uses multiple identification methods for the same device (Serial Number, Product ID, Vendor ID)
- Verify that all machines are on the same Windows build and have consistent Microsoft Defender versions
