Forum Discussion
Defender of Endpoint on Comanaged Laptop
We are testing device control feature of Microsoft Defender for Endpoint (MDE).
- Onboarded a laptop to MDE only (not enrolled to Intune) - created two policies in Defender portal
- Attack Surface reduction - Device Control - this policy could never be successfully applied on the machine (Reason - Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn suggests that Device Control profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune.)
- AV - this policy successfully deployed and I could see the deployed config on the machine
- Onboarded to MDE and co-managed (Intune, SCCM) - Configured Endpoint protection workload to be managed by Intune. Created Attack surface reduction Device control policy in Intune portal - policy deployed successfully on the laptop.
- Connected the USB on the device it showed the following
- Left the device connected, after few hours, I could see the capacity, used storage of the USB,
clicking continue and entering admin credentials also wont allow the access of the USB.
- Left the device connected overnight, and next Morning, I could double click on the drive and access the content, it directly allowed me the read-write access of the USB.
- Unplugged and re-plugged the USB, then it shows USB is not accessible
- Connected the USB on the device it showed the following
I am not able to understand this inconsistent behaviour, please suggest if I am doing something wrong.
Also, instead of Access is denied messaged, can we display a message like "As per the corporate policy, you cant access the removable devices." when the user tries to access a USB.
Please help.
To check the Device Control logs, open the Event Viewer and navigate to:
Applications and Services Logs - Microsoft - Windows - Windows Defender - Operational
There you should see events related to Attack Surface Reduction and Device Control. Make sure you run the Event Viewer with administrative privileges, and you can filter the logs for specific errors or messages related to Device Control
Hi, it’s happening because Device Control isn’t supported on devices managed only by Defender (without Intune). In your co-managed scenario, you may see intermittent behavior due to policy sync delays or conflicts between Intune, SCCM, and any GPOs.
Suggestions:
-Make sure the Endpoint Protection workload is truly moved to Intune
-Force policy sync from both Intune and the client
-Check security/Device Control logs for conflicts
-Reboot after policy application
As for replacing “Access Denied” with a custom message, Windows doesn’t provide a built-in way to override that system error text.Thank you Michelariis, now the device is managed by Intune but behaviour is still the same.
Endpoint Protection, device management workloads are moved to Intune for a pilot collection and the machines are member of that collection.
Policy forced several Times behaviour is still the same
Please share the location of of Device control logs
