Device control policy not working properly.

Copper Contributor

We have set a device control policy to do the following: Allow installation of only specified devices classes + Device control configuration for mass storage devices (Which denies all removable devices, excluding one reusable setting for whitelisted devices). The issue is that sometimes the policy works Ok, but sometimes devices are not being blocked despite not being allowed.

2 Replies


We are having the same issue with few additions. 

So, we've tried to deploy storage device management in the company that was supposed to block all storage devices (USB, ext HDD etc.) and allow specific approved devices using this document but MS Support person told us the Intune controls in the doc are for preventing installation of all system devices (and drivers, surprise!), not just USBs. Even with all the GUIDs in the doc added as 'allowed' in Intune, we had a pretty crappy month of WiFi, graphics, BT, sound, printers and even monitors blocked by this policy.

I've tried using this doc (Intune /> Scenario 1) but it doesn't work. The reusable settings are in the registry, but the 'allowed' devices are still been blocked on Windows 10. Also, the policy is entirely non functional on Windows 11 - it doesn't even block the storage devices even with the registry keys present.

I've raised 2 tickets about this and after 4 weeks now, there isn't even an agent assigned to the cases. Can someone please advice? We are on 300+ licenses E3 + E5 Security which is tons of money and we can't even get a simple 1st line support.


Same scenario for me. Using attack surface reduction, and reusable settings for allowing only specific USB drives, it works randomly in some devices, and does not work on others.

All devices shown the policy as applied, and all have the registry keys present in:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager