You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/device-control-walkthroughs.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to work with device control in Defender for Endpoint.
4
4
author: denisebmsft
5
5
ms.author: deniseb
6
6
manager: deniseb
7
-
ms.date: 02/14/2024
7
+
ms.date: 01/24/2025
8
8
ms.topic: overview
9
9
ms.service: defender-endpoint
10
10
ms.subservice: asr
@@ -36,7 +36,7 @@ By default, [device control](device-control-overview.md) is disabled and there a
36
36
37
37
Device control in Defender for Endpoint identifies a device based on its properties. Device properties are visible by selecting an entry in the report.
38
38
39
-
The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.mddata is also available in [advanced hunting](/defender-xdr/advanced-hunting-overview), by searching for the `Plug and Play Device Connected action` (`PnPDeviceConnected`), as shown in the following example query:
39
+
The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.md)). Data is also available in [Advanced Hunting](/defender-xdr/advanced-hunting-overview), by searching for the Plug and Play Device Connected action (`PnPDeviceConnected`), as shown in the following example query:
40
40
41
41
```kusto
42
42
@@ -62,7 +62,7 @@ DeviceControlState : Disabled
62
62
63
63
```
64
64
65
-
Change the device control state to be enabled* on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
65
+
Change the device control state to be enabled on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
66
66
67
67
```powershell
68
68
@@ -184,7 +184,7 @@ The following screenshot shows the settings we used for our example:
184
184
185
185
By default, the sample uses the Global SID of `S-1-1-0`. Before deploying the policy, you can change the SID associated with the authorized USBs (writeable USBs) to `User1` and change the SID associated with the Read Only USBs to `User2`.
186
186
187
-
Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs.
187
+
Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs.
188
188
189
189
Device control also supports group SIDs. Change the SID in the read-only policy to a group that contains `User2`. Once the policy is redeployed, the rules are the same for User 2 or any other user in that group.
0 commit comments