Let’s discuss How to Deploy Granular USB Lockdown with Defender Device Control in Intune. Microsoft Defender Device Control setting is crucial for managing device security and preventing data loss in an organization.
This policy allows you to then configure much more granular policies (groups, rules, and access masks like read, write, or execute) to audit, allow, or block specific types of devices, such as USB drives, CD/DVDs, and portable devices (like external hard drives or phones).
By enabling this policy, admins ensure Data Loss Prevention (DLP). External media, like USB drives, is a primary vector for data exfiltration (data theft). Enabling this feature allows granular control to prevent sensitive corporate data from being copied onto personal or unauthorized removable storage.
For example admins can configure this policy for Stops users from printing sensitive documents at home or to unauthorized external printers, which is a common form of data leakage. And also you can controls the use of wireless peripherals, preventing potential over-the-air attacks or connections to rogue devices.
Table of Contents
How to Deploy Granular USB Lockdown with Defender Device Control in Intune
The Defender Device Control feature allows for highly specific policies: e.g., allow read-only access for all users, but grant full access only to a specific list of authorized and encrypted USB drives or a specific group of users (like IT Administrators).
- How to Configure Check for Signatures before Running Scan Policy using Intune
- How to Allow or Block Email Scanning using Intune Policy
- Allow or Disallow Scanning of Archives using Intune Policy
Configure Device Control Policy from Intune Portal
You can easily access Defender Device Control policy from Intune Portal. Sign in to Microsoft Intune admin center. Then go to Devices > Configuration > +Create >+ New Policy.
Profile Creation for Policy
The next step is Profile Creation for Policy that allows admins to choose specific platform and profile type. This is very essential to apply the policy to appropriate Platform and Profile Type. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Basics Tab for Beginning Policy
As per the heading, basic tab is the begging stage that helps you to add basic details like name and description for the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configuration Settings for Selecting Settings
Next is the the configuration settings tab that helps you to access settings picker to select specific settings for policy creation. To get the Settings Picker, click on the +Add settings hyperlink. Here, I would like to select the settings by browsing by Category. I choose Defender. Then, I choose Device Control settings.
Disable Defender Device Control
For smaller organizations or those with less strict security requirements, fully managing and configuring granular device control rules can add significant administrative overhead. Disabling it simplifies IT management.
Enable Defender Device Control
When enabled, all device connection and access attempts are logged and can be viewed in the Microsoft Defender portal (Advanced Hunting). This provides crucial visibility for security teams to monitor usage and investigate security incidents.
Selecting Scope Tags
Scope Tags sections help you add restrictions to the visibility of the Policy. But it is not a mandatory step, so you can skip this step. Here, I don’t add scope tags for Enterprise IP Range Policy. Click on the Next button.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer
It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > Windows Defender > Operational.
- You can see the success result on 5007
| Event Viewer Details |
|---|
| Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Features\DeviceControlEnabled = 0x0 New value: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager AFeatures\DeviceControlEnabled – 0v1 |
Removing the Assigned Group from Defender Device Control Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Defender Device Control Policy
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc