Forum Discussion
MDE Device Control Questions
Hello all,
I’ve been exploring Device Control recently and have run into a few issues that I would like to verify have no fix, or see if there is a fix I need to implement.
A little bit about the implementation, we have a default block all write policy that excludes some exception groups, and then the exceptions groups will allow write. Other than write, nothing else is blocked.
- With write blocked, users who don’t have an exception can plug in an infected USB and Windows Defender seems to get blocked by device control when deleting the file. Is there a way to allow delete, but no copy/paste or file creation/edit.
- Users who are local admin are able to circumvent the policies by removing the Microsoft\Windows Defender\Policy Manager\ PolicyRules registry, as there is nothing in the ‘Device Control’ registry contrary to what I’ve read. How can we block local admins from doing this?
Thanks!
2 Replies
Hi, device Control blocks all write operations (create, copy, edit and delete): there is no “delete-only” way. If granularity is needed, use NTFS ACL or AppLocker/WDAC (file permissions) or a DLP policy.
To prevent local admins from removing registry rules:
Tamper Protection enabled in Defender.
Remove permanent admin privileges (use LAPS or PIM/JIT).
Set restrictive ACLs on registry key and reapply policies automatically via Intune/GPO.
Thus you combine protection and continuous reapplication, making manual deletion unnecessary.
Thanks for the reply! On the first one, I understand this, but it was unexpected to see that defender was blocking itself from quarantine, but we were still able to live response and delete.
Thanks for the tips on the second one, but one note is that tamper protection is on, but the DeviceControl registry’s are not under that protection for some reason. I was unable to adjust any defender reg’s like RTP or exclusions, but easily able to remove/add/edit the policyrules registry with local admin.
