Device Control policies (LGPO) not working as expected

Copper Contributor

I'm having trouble getting Device Control policies to work as they should. It seems like all device group filtering misses removable USB storage devices, and only a default deny policy affects them in any way. Even with the default deny policy, the storage device can be opened and browsed, but at least files can not be opened. The policies have been tested on several machines, all running Windows 11.

 

The following files were used, targeted via local GPO (customer uses GPOs to manage devices, we're attempting to create a test environment matching production as closely as possible):

 

anyRemovableMediaGroup.xml

 

<Groups>
	<Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData -->
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>RemovableMediaDevices</PrimaryId>
		</DescriptorIdList>
	</Group>
</Groups>

 

 

gpo_USBRestriction_Policy_Deny_RemovableMedia.xml

 

<PolicyRules>
    <PolicyRule Id="{a44a40ca-4337-4dd6-a50b-ea5c5ed65b0b}">
    	<Name>Block Write and Execute access to all</Name>
    	<IncludedIdList>
    		<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
    	</IncludedIdList>
    	<ExcludedIdList></ExcludedIdList>
    	<Entry Id="{daaf2d0d-89d6-4b25-b23f-0ff0932fdf6e}">
    		<Type>Deny</Type>
    		<AccessMask>7</AccessMask>
			<Options>0</Options>
    	</Entry>
    </PolicyRule>
</PolicyRules>

 

 

We also installed newest ADMX templates and used the Specific Device Types setting to target "RemovableMediaDevices", but no change was visible.

 

Checking Defender settings with "Get-MpComputerStatus" returns the following, showing device control is active:

DeviceControlDefaultEnforcement  : DefaultDeny
DeviceControlPoliciesLastUpdated : 25.3.2024 10.51.25
DeviceControlState               : Enabled

 

The changes are visible in the registry under "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" and "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Device Control".

1 Reply
The policy points to windows-server-2012-r2 and thereafter. Depending on the control windows platform, e.g. Windows 10, 11 or additional editions. Connectors for #home computers is a configuration to connect business apps. If #home computers has login to the business app, the device registry in my account control /devices should show being 'disable'. Most end users use check for updates in the Windows setting (using a #home Windows system) and the DeviceControlPoliciesLastUpdated should be registered to the latest WUS security update for the device.