Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/Intune / MDE device control policy audit events

Intune / MDE device control policy audit events

/ 2024-08-15 / Microsoft

I find that this feature is inconsistent on outputting the audit events to advanced hunting. I have not had an issue making the policies block devices including allowing specific ones, however it seems to be finicky on when it will output the RemovableStoragePolicyTriggered events. If I reboot the device it seems to emit the audit events briefly.  The Windows Toast notifications are also inconsistent, but I suspect that is due to some function of Windows that limits the number of notifications that can occur.

 

Is there some trick to make the audit events show up in advanced hunting consistently?

 

My configuration is targeting USB/WPD/CDROM each one denying “File Write/File Execute” with an audit allowed + audit denied for everything but print.

 

I tried explicitly “allowing” read/write/execute/fileread but it had no effect other than changing the policy label from “DefaultAllow” to the policy name when it did happen to emit a RemovableStoragePolicyTriggered event. I “clean” the registry keys associated with the policies prior to testing to get rid of duplicate data from policy updates.

 

HKLM:SOFTWAREPoliciesMicrosoftWindows DefenderPolicy Manager (PolicyRules/PolicyGroups)

​I find that this feature is inconsistent on outputting the audit events to advanced hunting. I have not had an issue making the policies block devices including allowing specific ones, however it seems to be finicky on when it will output the RemovableStoragePolicyTriggered events. If I reboot the device it seems to emit the audit events briefly.  The Windows Toast notifications are also inconsistent, but I suspect that is due to some function of Windows that limits the number of notifications that can occur. Is there some trick to make the audit events show up in advanced hunting consistently? My configuration is targeting USB/WPD/CDROM each one denying “File Write/File Execute” with an audit allowed + audit denied for everything but print. I tried explicitly “allowing” read/write/execute/fileread but it had no effect other than changing the policy label from “DefaultAllow” to the policy name when it did happen to emit a RemovableStoragePolicyTriggered event. I “clean” the registry keys associated with the policies prior to testing to get rid of duplicate data from policy updates. HKLM:SOFTWAREPoliciesMicrosoftWindows DefenderPolicy Manager (PolicyRules/PolicyGroups)  Read More

Tags:

Related posts

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data
2024-11-14

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data

Microsoft introduces new adapted AI models for industry
2024-11-13

Microsoft introduces new adapted AI models for industry

IDC’s 2024 AI opportunity study: Top five AI trends to watch
2024-11-13

IDC’s 2024 AI opportunity study: Top five AI trends to watch

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch