Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune
Article
If you're using Intune to manage Defender for Endpoint settings, you can use it to deploy and manage device control capabilities. Different aspects of device control are managed differently in Intune, as described in the following sections.
Go to Endpoint security > Attack surface reduction.
Under Attack surface reduction policies, either select an existing policy, or select + Create Policy to set up a new policy, using these settings:
In the Platform list, select Windows 10, Windows 11, and Windows Server. (Device control is not currently supported on Windows Server, even though you select this profile for device control policies.)
In the Profile list, select Device Control.
On the Basics tab, specify a name and description for your policy.
On the Configuration settings tab, you see a list of settings. You don't have to configure all of these settings at once. Consider starting with Device Control.
Under Bluetooth, see a list of settings that pertain to Bluetooth connections and services. For more details, see Policy CSP - Bluetooth.
Under Device Control, you can configure custom policies with reusable settings. For more details, see Device control overview: Rules.
After you have configured your settings, proceed to the Scope tags tab, where you can specify scope tags for the policy.
On the Assignments tab, specify groups of users or devices to receive your policy. For more details, see Assign policies in Intune.
On the Review + create tab, review your settings, and make any needed changes.
When you're ready, select Create to create your device control policy.
Device control profiles
In Intune, each row represents a device control policy. The included ID is the reusable setting that the policy applies to. The excluded ID is the reusable setting that's excluded from the policy. The entry for the policy contains the permissions allowed and the behavior for device control that comes into force when the policy applies.
For information on how to add the reusable groups of settings that are included in the row of each device control policy, see the Add reusable groups to a Device Control profile section in Use reusable groups of settings with Intune policies.
Policies can be added and removed using the + and – icons. The name of the policy appears in the warning to users, and in advanced hunting and reports.
Note
The order in the UX isn't preserved for policies enforcement. The best practice is to set the default enforcement to DENY, and then use Allow policies. Ensure that the Allow policies option is non-intersecting by explicitly adding devices to be excluded.
Defining Settings with OMA-URI
To use the following table, identify the setting you want to configure, and then use the information in the OMA-URI and data type & values columns. Settings are listed in alphabetical order.
Setting
OMA-URI, data type, & values
Device control default enforcement Default enforcement establishes what decisions are made during device control access checks when none of the policy rules match
When you create policies with OMA-URI in Intune, create one XML file for each policy. As a best practice, use the Device Control Profile or Device Control Rules Profile to author custom policies.
In the Add Row pane, specify the following settings:
In the Name field, type Allow Read Activity.
In the OMA-URI field, type /Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b[PolicyRule Id]%7d/RuleData.
In the Data Type field, select String (XML file), and use Custom XML.
Comments using XML comment notation can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
Creating groups with OMA-URI
When you create groups with OMA-URI in Intune, create one XML file for each group. As a best practice, use reusable settings to define groups.
In the Add Row pane, specify the following settings:
In the Name field, type Any Removable Storage Group.
In the OMA-URI field, type ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData. (To get your GroupID, in the Intune admin center, go to Groups, and then select Copy the Object ID.)
In the Data Type field, select String (XML file), and use Custom XML.
Note
Comments using XML comment notation <!-- COMMENT -- > can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
Configure removable storage access control using OMA-URI
Choose Devices > Configuration profiles. The Configuration profiles page appears.
Under the Policies tab (selected by default), select + Create, and choose + New policy from the drop-down that appears. The Create a profile page appears.
In the Platform list, select Windows 10, Windows 11, and Windows Server from the Platform drop-down list, and choose Templates from the Profile type drop-down list.
Once you choose Templates from the Profile type drop-down list, the Template name pane is displayed, along with a search box (to search the profile name).
Select Custom from the Template name pane, and select Create.
Create a row for each setting, group, or policy by implementing Steps 1-5.
View device control groups (Reusable settings)
In Intune, device control groups appear as reusable settings.
Manage groups of settings for Intune profiles as a single object and then add that settings group object to multiple profile instances. Later changes you make to the settings groups automatically apply to each profile that includes the reusable settings group.