You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/device-control-walkthroughs.md
+3-4Lines changed: 3 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,8 +36,7 @@ By default, [device control](device-control-overview.md) is disabled and there a
36
36
37
37
Device control in Defender for Endpoint identifies a device based on its properties. Device properties are visible by selecting an entry in the report.
38
38
39
-
The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.mddata is also available in [advanced hunting](/defender-xdr/advanced-hunting-overview), by searching for the `Plug and Play Device Connected action` (`PnPDeviceConnected`), as shown in the following example query:
40
-
39
+
The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.md)). Data is also available in [Advanced Hunting](/defender-xdr/advanced-hunting-overview), by searching for the Plug and Play Device Connected action (`PnPDeviceConnected`), as shown in the following example query:
41
40
```kusto
42
41
43
42
DeviceEvents
@@ -62,7 +61,7 @@ DeviceControlState : Disabled
62
61
63
62
```
64
63
65
-
Change the device control state to be enabled* on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
64
+
Change the device control state to be enabled on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
66
65
67
66
```powershell
68
67
@@ -184,7 +183,7 @@ The following screenshot shows the settings we used for our example:
184
183
185
184
By default, the sample uses the Global SID of `S-1-1-0`. Before deploying the policy, you can change the SID associated with the authorized USBs (writeable USBs) to `User1` and change the SID associated with the Read Only USBs to `User2`.
186
185
187
-
Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs.
186
+
Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs.
188
187
189
188
Device control also supports group SIDs. Change the SID in the read-only policy to a group that contains `User2`. Once the policy is redeployed, the rules are the same for User 2 or any other user in that group.
0 commit comments