Windows: New Defender control features for removable media (like USB sticks)

Windows[German]External USB storage media and USB devices are in daily use, but pose a threat to corporate data. Data can be copied/extradicted too quickly. And there is a risk of malware being introduced via USB sticks or other USB storage devices. Microsoft has therefore introduced Microsoft Defender for Endpoint with a set of features to control such devices on Windows.


I already came across the topic a few days ago via this German post by Martin Geuß. Microsoft dedicated a Techcommunity post Announcing new removable storage management features on Windows from November 21, 2022, where the details are explained.

Risk USB storage media

Microsoft mentions that external devices such as USB storage devices are common tools for daily work. For example, it is very easy to back up data to a USB hard drive or USB flash drive on a daily basis. But these media also pose a threat from two sides.

  • There is the risk that employees are carrying malware to systems via infected USB sticks and media.
  • The second risk is that employees will copy corporate data without authorization and it will leak out unnoticed.

For both of these risks, administrators make certain gimmicks to prevent their exploitation under Windows. In some companies, USB sockets are therefore made mechanically unusable. Microsoft takes a different approach and adds a number of features to Defender for Endpoint to control such devices under Windows.

Defender for Endpoint extensions

The article Announcing new removable storage management features on Windows discloses that Microsoft has already begun implementing these control features in Microsoft Defender for Endpoint on Windows in recent months. Among the common use cases supported by the feature is allowing certain users to:

  • Gain write access to specific removable storage devices
  • The use of specific removable storage devices on specific computers
  • Read, write, and execute access to specific files on removable storage devices
  • Write and execute access to specific removable storage devices when the computer is connected to the corporate network or via a VPN

Defender for Endpoint now enables enterprise administrators to better control user read, write and execute access to specific files on removable media. For example, by using filename/path/extension, Defender for Endpoint can prevent end users from executing files with INK, BAT, BIN, CHM, CMD, COM, CPL and EXE extensions. This is possible via Intune as well as Group Policy in Windows.


An administrator can also restrict removable disk access on Azure AD machines for both users and those machines.  An example of this would be to only allow certain users to interact with specific removable storage devices on a given machine. In this case, the qualified user may only initiate an authorized removable storage device on an authorized machine. More details and links to documents for Intune or Group Policy can be found in article Announcing new removable storage management features on Windows. And there is a 2nd article from October 2022 about Microsoft Defender for Endpoints and it's Built-in protection.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Allgemein. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *