SOLVED

Device Control with Defender for Endpoint not capturing evidence

Copper Contributor

Recently Defender for Endpoint has stopped capturing evidence when transferring files to a USB device and I can't figure out what's changed. The policy is included below, and we're deploying using GPO:

 

<PolicyRules>
  <PolicyRule Id="{36ae1037-a639-4cff-946b-b36c53089a4c}">
  <!-- Rule that permits and audits specific approved devices -->
    <Name>Audit Write access to approved USBs</Name>
    <IncludedIdList>
      <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
    </IncludedIdList>
    <ExcludedIdList></ExcludedIdList>
    <Entry Id="{a0bcff88-b8e4-4f48-92be-16c36adac930}">
      <Type>Allow</Type>
      <Options>8</Options>
      <AccessMask>63</AccessMask>
    </Entry>
  </PolicyRule>
</PolicyRules>

 

And the group is:

<Groups>
  <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}">
  <!-- Group for all removable devices -->

    <MatchType>MatchAny</MatchType>
    <DescriptorIdList>
      <PrimaryId>RemovableMediaDevices</PrimaryId>
      <PrimaryId>CdRomDevices</PrimaryId>
      <PrimaryId>WpdDevices</PrimaryId>
    </DescriptorIdList>
  </Group>
</Groups>

 

This policy should allow all devices R/W access and create a copy of the file in the location defined in the settings. I've tried setting the location to both a network share and local paths (C:\Temp\ and C:\Temp\temp). In the security portal at security.microsoft.com, when evidence is captured it creates a RemovableStorageFileEvent. We have stopped getting these events, but we still get RemovableStoragePolicyTriggered events, indicating the policy is applied. I also see the evidence locally on the machine at "C:\Windows\Defender Duplication Data". The issue seems to be with the moving the evidence from the local store to the location defined in the settings, but I can't figure out why it won't move. Any help is appreciated.

2 Replies
best response confirmed by ZachThornton (Copper Contributor)
Solution

This is a microsoft problem and they've removed it from their documentation.  They're working on a fix, so hopefully it'll be re-added.

Good to know, we have the same issue at my company
1 best response

Accepted Solutions
best response confirmed by ZachThornton (Copper Contributor)
Solution

This is a microsoft problem and they've removed it from their documentation.  They're working on a fix, so hopefully it'll be re-added.

View solution in original post