Device Control with MDE and Endpoint Manager

This time something short and less in the world of incident response or Azure Sentinel. I came across countless requests for device control and blocking mass storage devices in various forms. The most common is the external blocking storage and monitor access. Below, a short guide that focuses on securing, monitoring, and a quick query for MDE.

This post is part of a series of articles that help understand device control with Microsoft Defender for Endpoint and Endpoint Manager. The first article focuses on the complete blocking and monitoring of mass storage devices. It will discuss controlling Mass Storage in many situations, including USB devices, safelists, and others.

The series of articles will focus on the following topics

  • Blocking Specific Hardware
  • Preventing Write Access Removable Storage
  • Control printer protection on Windows

Microsoft Defender for Endpoints has excellent features to protect devices against data loss. This feature provides a layered approach to secure removable hardware like a mass storage device with Device Control. When using Device Control, you could make sure users cannot install specific hardware on the devices or make sure removable storage can’t be used.

The only prerequisite? It would be best to make sure Microsoft Defender for Endpoints is enabled and active, and you’ve got Endpoint Manager to apply the Device Control policy.

Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as removable storage devices and USB drives.

With the device control report, you can view events that relate to media usage, such as:

  • Audit events show the number of audit events that occur when external media is connected
  • Policy events show the number of policy events that happen when a device control policy is triggered

The audit events include:

  • USB drive mounts and unmount audit events that are generated when a USB drive is mounted or unmounted.
  • PnP audit events are generated when removable storage, a printer, or Bluetooth media is connected.
  • Removable storage access control events are generated when a removable storage access control policy is triggered. It can be Audit, blocked, or Allowed.

Block Removable Storage

First, let’s create a policy that blocks mass storage of USB external devices from the Endpoint Manager console. This device control policy is part of the Endpoint Security and Attack Surface Reduction.

When creating the policy, make sure to choose Device Control

The configuration settings must configure with Block removable storage that provides locking removable storage on the device.

Block Removable Storage

Next, assign the relevant group and create the policy.

Once the policy applies to the Windows 10 machine, we can check if the policy is working. If everything is excellent, you can show the following notification on your File Explorer.

Now that we know we are safe from external mass storage let’s check how MDE provides excellent insight into the activity.

Monitor Mass Storage

Microsoft Defender for Endpoint provides valuable ways to monitor device control, from Report to Query.

First, let’s understand the threat activity involving USB devices


DeviceEvents provides information, and you can find events related to mounting and unmounting of USB drives as well as the setting of drive letters:
  • UsbDriveMount
  • UsbDriveUnmount
  • UsbDriveDriveLetterChanged

Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. Each of these action types includes relevant contextual information, such as:

  • Drive letter
  • Bus type
  • Product name of the device
  • Product revision
  • Serial number
  • Manufacturer
  • Volume

MDE Reports

Microsoft Defender for Endpoint Reports option provides information about security trends and tracks the protection status of your identities, data, devices, apps, and infrastructure. One of these reports is Device Control.

Device control in Microsoft Defender for Endpoint empowers admins with tools that enable them to track their organization’s device control security through reports. You can find the device control report in the XDR console by going to Reports > Device protection.

The Device protection card on the Reports dashboard shows the number of audit events generated by media type over the last 180 days. The page provides a dashboard with an aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID.

Monitor Mass Storage

When you select a specific event, a new window appears on the right side that shows you more information:

  • General details with date, action mode, policy, and Access to this event.
  • Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Serial number, and Bus type.
  • Location details device name, user, and device ID.

In addition, you can filter the results based on policy and media class.

Once you are filtering with some values, the results will show like the image below.

From there, we can open Advanced Hunting and query the results that we’ve already got. But it’s not a friendly query, so let’s take something else.

The query below provides a friendly result with names and values that we can understand.

The query available on my GitHub MassStorage_MDE.kusto


Like any other scenario, we want to know if someone is trying to plug external mass storage and which action is made on each action. This can be done via the detection rule. If you run the query successfully, create a new detection rule. This option automatically prevents devices with alerts from connecting to the network.

If you’re working with device state and it’s recommended to choose informational on severity because


DeviceID is part of the query, so you must choose these entities.

The auto mitigation is cool because you can respond with one or more of the following actions.

Then, select your device group.

That it, a simple configuration to block mass storage devices with Endpoint Manager and monitor with Microsoft Defender for Endpoint.

Security Archives – Elli Shlomo (

You may also like...

Leave a Reply

error: Content is Protected !!