This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 17%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Hola,
I have a question regarding "tattooing" records in registry by ASR Policy handling Device Control.
So the case is, in my corporate environment I configure ASR Device Control policy to block any Removable Media Storage (of course in testing environment). My concern is when I want to change this policy - of course new registry records are added, but old one are not deleted so it looks like:
The question is:
Why when I changed permission to Allow for the same reusable setting there is no changes in endpoint registry so all USB storage devices are blocked?
I tried also to remove blocking policy and create one with Allow permission but still - there is a existing record in registry named PolicyRules, full path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager -> PolicyRules
Deleting data related to Blocking policy solve the problem but the solution doesn't meet corporate requirements, for example blocking USB Storages for limited amount of time.
Can someone help me understand this process or describe how you handle it?
Thanks a lot...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Jakub Karbowski, Thanks for posting in Q&A. For your issue, to know it better, please get screen shots which setting we configure "Block any Removable Media Storage" and which setting we set "Allow for the same reusable setting"?
@Jakub Karbowski, How's everything going? I am writing to see if there's any opportunity to get the screenshots to go further. Thanks!
@Crystal-MSFT
Let's jump in first to Reusable Settings:
I've created two setting group as above.
Nextly I've created ASR policy in Intune as follows (I configured only Device Control blade)
And success - It is blocking all Removable Devices and WPD.
BUT
The case is, when I'm trying to change access type in Device Control from Deny, to Allow - still all Removable Devices and WPD are blocked for the same assigned group of machine.
Second soultion I've tried to remove my machine from assigned group to this ASR policy but still - All Removable Devices and WPD are blocked.
The reason of this situation is because record in registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
and file Policy Rules - where rules as stored as on below screenshot:
When I deleted this record, all goes back to original and Removable Media and WPD are not blocked.
What's more - if I create new Reusable Settings and connect it with ASR Rule, or create ne ASR Rule with different scope of privileges (access mask etc) all of them are saved in Registry and then I think the one that takes precedence (rules for it are not described in docs) is binding to machine.
To sum up:
@Jakub Karbowski, Thanks for your detailed description. I know when we change the access type from Deny to Allow in the same entry. It didn't change the previous registry key. But creating a allow registry key. which behave like that you have add a new entry. For this, you can open case to see if we can change the behavior. https://video2.skills-academy.com/en-us/mem/get-support
This is known issue around some settings in mdm. Not all settings revert back to original. In your case, have you tried to revert the setting with Setting Catalog like this?
Hi @Pavel yannara Mirochnitchenko !
Yes I tried this way and still - changes are made in registry but if I for example Enable this option and later disable in the same or new ASR or as you show ADMX policy, all Removable Storage classes are still blocked. I've explained this step by step in comment above with screens etc.
I've tried also solutions like change the assigned group of this policy and settings still do not revert back to original. I've tried also create new policy where I configure everything on Allow and assign group which previously was assigned to deny all policy and still - everything is blocked.