Forum Discussion

dhorne25's avatar
dhorne25
Copper Contributor
Apr 29, 2025

MDE Device Control Questions

Hello all,   I’ve been exploring Device Control recently and have run into a few issues that I would like to verify have no fix, or see if there is a fix I need to implement. A little bit about ...
micheleariis's avatar
micheleariis
MCT
May 06, 2025

Hi, device Control blocks all write operations (create, copy, edit and delete): there is no “delete-only” way. If granularity is needed, use NTFS ACL or AppLocker/WDAC (file permissions) or a DLP policy.

To prevent local admins from removing registry rules:

Tamper Protection enabled in Defender.

Remove permanent admin privileges (use LAPS or PIM/JIT).

Set restrictive ACLs on registry key and reapply policies automatically via Intune/GPO.

Thus you combine protection and continuous reapplication, making manual deletion unnecessary.

 

  • dhorne25's avatar
    dhorne25
    Copper Contributor
    May 06, 2025

    Thanks for the reply! On the first one, I understand this, but it was unexpected to see that defender was blocking itself from quarantine, but we were still able to live response and delete.

     

    Thanks for the tips on the second one, but one note is that tamper protection is on, but the DeviceControl registry’s are not under that protection for some reason. I was unable to adjust any defender reg’s like RTP or exclusions, but easily able to remove/add/edit the policyrules registry with local admin.

Resources