Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune

Applies to:

If you're using Intune to manage Defender for Endpoint settings, you can use it to deploy and manage device control capabilities. Different aspects of device control are managed differently in Intune, as described in the following sections.

Configure and manage device control in Intune

  1. Go to the Intune admin center and sign in.

  2. Go to Endpoint security > Attack surface reduction.

  3. Under Attack surface reduction policies, either select an existing policy, or select + Create Policy to set up a new policy, using these settings:

    • In the Platform list, select Windows 10, Windows 11, and Windows Server. (Device control is not currently supported on Windows Server, even though you select this profile for device control policies.)
    • In the Profile list, select Device Control.
  4. On the Basics tab, specify a name and description for your policy.

  5. On the Configuration settings tab, you see a list of settings. You don't have to configure all of these settings at once. Consider starting with Device Control.

    Screenshot of Intune user interface for device control policies.

  6. After you have configured your settings, proceed to the Scope tags tab, where you can specify scope tags for the policy.

  7. On the Assignments tab, specify groups of users or devices to receive your policy. For more details, see Assign policies in Intune.

  8. On the Review + create tab, review your settings, and make any needed changes.

  9. When you're ready, select Create to create your device control policy.

Device control profiles

In Intune, each row represents a device control policy. The included ID is the reusable setting that the policy applies to. The excluded ID is the reusable setting that's excluded from the policy. The entry for the policy contains the permissions allowed and the behavior for device control that comes into force when the policy applies.

The screenshot that shows the page on which you can configure the settings for the Device Control capability.

For information on how to add the reusable groups of settings that are included in the row of each device control policy, see the Add reusable groups to a Device Control profile section in Use reusable groups of settings with Intune policies.

Policies can be added and removed using the + and icons. The name of the policy appears in the warning to users, and in advanced hunting and reports.

You can add audit policies, and you can add Allow/Deny policies. It is recommended to always add an Allow and/or Deny policy when adding an audit policy so that you don't experience unexpected results.

Important

If you only configure audit policies, the permissions are inherited from the default enforcement setting.

Note

  • The order in the which policies are listed in the user interface isn't preserved for policy enforcement. The best practice is to use Allow/Deny policies. Ensure that the Allow/Deny policies option is non-intersecting by explicitly adding devices to be excluded. Using Intune's graphical interface, you cannot change the default enforcement. If you change the default enforcement to Deny, and create an Allow policy to be applied specific devices, all devices are blocked except for any devices that are set in the Allow policy.

Defining Settings with OMA-URI

Important

Using Intune OMA-URI to configure device control requires the Device Configuration workload to be managed by Intune, if the device is co-managed with Configuration Manager. For more information, see How to switch Configuration Manager workloads to Intune.

In the following table, identify the setting you want to configure, and then use the information in the OMA-URI and data type & values columns. Settings are listed in alphabetical order.

Setting OMA-URI, data type, & values
Device control default enforcement
Default enforcement establishes what decisions are made during device control access checks when none of the policy rules match
./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

Integer:
- DefaultEnforcementAllow = 1
- DefaultEnforcementDeny = 2
Device types
Device types, identified by their Primary IDs, with device control protection turned on. You must specify the product family IDs, separated by a pipe. When selecting multiple devices types you need to ensure the string is all one word with no spaces. A configuration that does not follow this syntax will cause unexpected behavior.
./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration

String:
- RemovableMediaDevices
- CdRomDevices
- WpdDevices
- PrinterDevices
Enable device control
Enable or disable device control on the device
./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

Integer:
- Disable = 0
- Enable = 1

Creating policies with OMA-URI

The screenshot that shows the page on which you can create a policy with OMA-URI.

When you create policies with OMA-URI in Intune, create one XML file for each policy. As a best practice, use the Device Control Profile or Device Control Rules Profile to author custom policies.

In the Add Row pane, specify the following settings:

  • In the Name field, type Allow Read Activity.
  • In the OMA-URI field, type ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData. (You could use the PowerShell command New-Guid to generate a new Guid, and replace [PolicyRule Id].)
  • In the Data Type field, select String (XML file), and use Custom XML.

You can use parameters to set conditions for specific entries. Here's a group example XML file for Allow Read access for each removable storage.

Note

Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

Creating groups with OMA-URI

The screenshot that shows the page on which you can create a group with OMA-URI.

When you create groups with OMA-URI in Intune, create one XML file for each group. As a best practice, use reusable settings to define groups.

In the Add Row pane, specify the following settings:

  • In the Name field, type Any Removable Storage Group.
  • In the OMA-URI field, type ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b[GroupId]%7d/GroupData. (To get your GroupID, in the Intune admin center, go to Groups, and then select Copy the Object ID. Or, you could use the PowerShell command New-Guid to generate a new Guid, and replace [GroupId].)
  • In the Data Type field, select String (XML file), and use Custom XML.

Note

Comments using XML comment notation <!-- COMMENT -- > can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

Configure removable storage access control using OMA-URI

  1. Go to the Microsoft Intune admin center and sign in.

  2. Choose Devices > Configuration profiles. The Configuration profiles page appears.

  3. Under the Policies tab (selected by default), select + Create, and choose + New policy from the drop-down that appears. The Create a profile page appears.

  4. In the Platform list, select Windows 10, Windows 11, and Windows Server from the Platform drop-down list, and choose Templates from the Profile type drop-down list.

    Once you choose Templates from the Profile type drop-down list, the Template name pane is displayed, along with a search box (to search the profile name).

  5. Select Custom from the Template name pane, and select Create.

  6. Create a row for each setting, group, or policy by implementing Steps 1-5.

View device control groups (Reusable settings)

In Intune, device control groups appear as reusable settings.

  1. Go to the Microsoft Intune admin center and sign in.

  2. Go to Endpoint Security > Attack Surface Reduction.

  3. Select the Reusable Settings tab.

See also