New and Updated Microsoft Intune Device Control Policy Settings

New day new blog post. This is more of an updated guide to what I’ve written some time ago (check below)

What I Will Be Covering? 👇🏽

  1. What’s New?
    1. 🌟 Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
    2. 🌟 Removable Storage Access
    3. 🌟 Defender Scanning (this setting can be found in other policies)
    4. 🌟 Data Protection (this setting can be found in other policies)
    5. 🌟 Dma Guard (this setting can be found in other policies)
    6. 🌟 Services Allowed List in Bluetooth Settings Section
  2. Wrapping Up

What’s New?

🌟 Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria

Is now a part of the policy

This was a prerequisite setting that needed to be set from Administrative Templates earlier and now it’s a part of the policy. That’s a win because there is a chance of not enabling that, or not knowing this is something that needs to be enabled in high and now it’s here.

This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersede less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
Device instance IDs > Device IDs > Device setup class > Removable devices

🌟 Removable Storage Access

Has it’s own settings section with Enabled, Disabled, and Not Configured options.

The policy has extended the control coverage to WPDs (Windows Portable Devices) with this policy.

More on WPDs:

Check this link and this link

From Microsoft text 👇🏽


This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class.

🌟 Defender Scanning (this setting can be found in other policies)

Although the same setting can be found in the Antivirus profile under Endpoint Security it has been included in the Device Control policy as well.

⚠ Make sure you avoid Settings Conflicts if you are planning on enabling both policies!

🌟 Data Protection (this setting can be found in other policies)

Same policy can be found in Security Baseline Policy as well.

Controls including Block, Allow, and Not Configured

⚠ Make sure you avoid Settings Conflicts if you are planning on enabling both policies!

🌟 Dma Guard (this setting can be found in other policies)

Same policy can be found in Security Baseline Policy as well.

Controls including Block All, Only after log in/ screen unlock, Allow All, and Not Configured

⚠ Make sure you avoid Settings Conflicts if you are planning on enabling both policies!

🌟 Services Allowed List in Bluetooth Settings Section

From Microsoft Text 👇🏽

When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It’s an allowed list, enabling admins to still allow custom Bluetooth profiles that aren’t defined by the Bluetooth Special Interests Group (SIG).

ServiceAllowedList Usage Guide Information can be found here

Wrapping Up

It’s a good thing that finally removable media other than the standard USB drivers has been covered in the policy. Also configuring these settings along with the Defender scanning, Data Protection, Dma Guard in the same policy is also ideal because as I mentioned earlier, there is a chance of not configuring these settings if you are specifically not looking at an AV policy or a Security Baseline policy. And the other side of the coin is, if you are configuring those policies, make sure you avoid settings conflicts and document them accordingly.

One thought on “New and Updated Microsoft Intune Device Control Policy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.