​Recently Defender for Endpoint has stopped capturing evidence when transferring files to a USB device and I can’t figure out what’s changed. The policy is included below, and we’re deploying using GPO: <PolicyRules>  <PolicyRule Id=”{36ae1037-a639-4cff-946b-b36c53089a4c}”>  <!– Rule that permits and audits specific approved devices –>    <Name>Audit Write access to approved USBs</Name>    <IncludedIdList>      <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>    </IncludedIdList>    <ExcludedIdList></ExcludedIdList>    <Entry Id=”{a0bcff88-b8e4-4f48-92be-16c36adac930}”>      <Type>Allow</Type>      <Options>8</Options>      <AccessMask>63</AccessMask>    </Entry>  </PolicyRule></PolicyRules> And the group is:<Groups>  <Group Id=”{9b28fae8-72f7-4267-a1a5-685f747a7146}”>  <!– Group for all removable devices –>    <MatchType>MatchAny</MatchType>    <DescriptorIdList>      <PrimaryId>RemovableMediaDevices</PrimaryId>      <PrimaryId>CdRomDevices</PrimaryId>      <PrimaryId>WpdDevices</PrimaryId>    </DescriptorIdList>  </Group></Groups> This policy should allow all devices R/W access and create a copy of the file in the location defined in the settings. I’ve tried setting the location to both a network share and local paths (C:Temp and C:Temptemp). In the security portal at security.microsoft.com, when evidence is captured it creates a RemovableStorageFileEvent. We have stopped getting these events, but we still get RemovableStoragePolicyTriggered events, indicating the policy is applied. I also see the evidence locally on the machine at “C:WindowsDefender Duplication Data”. The issue seems to be with the moving the evidence from the local store to the location defined in the settings, but I can’t figure out why it won’t move. Any help is appreciated.  Read More

​