Device Control - Temporary Access to a given USB Device

Brass Contributor

Hi there,


I am currently exploring how deep the DFE Device Control policies will allow you to go, to see how feasible it is compared to a point solution.


At present it looks like you can do most of the basic things you would expect to be able to do, albeit with virtually zero UI to work with and hand-crafted XML files, ouch!


I am reading through all of the Microsoft documentation but so far I see no mention of being able to add a "Temporary Bypass" for a particular device or similarly-named feature that would allow a user to get ad-hoc access to a given device.


The use case has been around since Day One of device control products being on the market, see the example set of policies many environments have:


1.) Block access to "everything" by default

2.) Allow these users to do what they want

3.) Allow access to these specific types of device for everyone

4.) Allow access to these specific devices, based on serial number

5.) Allow this device IMMEDIATLEY because someone has a presentation on an untrusted USB stick


So in requirement 5 this kind of thing comes up all the time, ad-hoc access is needed right there and then, usually involving a board room, a projector and several C-level executives. And of course, the laptop running DFE is also likely off the network, so won't get policy updates for standard whitelisting additions either easily or quickly.


What is needed is an out-of-band Challenge Response based system where a code can be requested (or another similar mechanism) that will either bypass the Device Control policy completely, or at the very least allow the required (USB stick!) to be accessible for a finite period of time.


Would anyone on this forum happen to know if such a feature exists with Defender for Endpoint Device Control, before a I sink a bunch of time into learning how it works with InTune and constructing XML files to create policies?


For prospect customers who may wish to leverage Device Control as part of their DFE deployment this is not far off a deal-breaker if this kind of "Break Glass" feature doesn't exist.


Thanks very much for your comments.


Kind regards,



0 Replies