USB flash drives

The described behavior aligns with a policy‑matching or layering issue in device control rather than a documented serial‑number length limit.

Use the following checks and adjustments:

1. Confirm the devices are in scope of Defender device control

• Ensure the new SanDisk drives are recognized as removable media devices that create a disk (for example, E:). Device control in Microsoft Defender for Endpoint only applies to devices that present as removable media and create a drive letter.
• If they do not create a disk, they are out of scope for MDE device control and must instead be controlled via device installation restrictions or other mechanisms.

2. Verify default enforcement and scope

• If using Intune/OmaUri for device control, confirm:
  • ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled = 1
  • ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement = 2 (DefaultDeny)
  • ./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration = RemovableMediaDevices
• On an affected endpoint, run Get-MpComputerStatus and verify:
  • DeviceControlState : Enabled
  • DeviceControlDefaultEnforcement : DefaultDeny
• This ensures that the deny‑all baseline is active and that removable media devices are the secured class.

3. Validate allow list entries using actual device properties

• For each new SanDisk device, collect the exact identifiers from Device Manager:
  • Open Device Manager → locate the USB disk → Properties → Details.
  • Capture Device instance path / InstancePathId, hardware IDs, and any other properties used in the allow rules.
• Compare these values between:
  • Older (working) SanDisk devices.
  • New (blocked) SanDisk devices.
• Ensure the allow group (for example, an “Authorized USBs” group) uses the correct property and full value for the new devices. If using InstancePathId, copy it exactly from Device Manager for the new drives.

4. Check policy grouping and exclusions

• Confirm that the group containing the new SanDisk devices is configured similarly to the working “Authorized USBs” example:
  • The authorized group is defined using a supported property (such as InstancePathId).
  • That group is explicitly excluded from the global deny‑all policy.
• If the deny‑all policy is not excluding the authorized group, the devices will remain blocked even when they match the allow rule.

5. Inspect policy layering and GPO conflicts

• If Group Policy is also used for removable storage control:
  • Use gpresult /h gpresult.html and rsop.msc to verify which GPOs apply to the affected machines.
  • Check for user‑level “Removable Storage Access” policies that might be blocking access regardless of Defender device control.
• If allowlisting is done via device instance ID while a “Deny all removable storage” GPO is present:
  • Move block policies to computer‑level GPO.
  • Remove user‑level “Removable Storage Access” policies.
  • Create a new computer‑level GPO and enable “Apply layered order” for allow/deny device installation.
  • Block by setup class for USB drives and ensure allow rules are evaluated correctly.

6. Use Advanced Hunting and logs to confirm matching

• Use Advanced Hunting in Microsoft Defender for Endpoint to check for events such as PnPDeviceAllowed or device control events when the new drives are inserted.
• Confirm whether the devices are being:
  • Evaluated and explicitly denied by device control, or
  • Blocked earlier by device installation restrictions or GPO.
• If PnPDeviceAllowed appears but access is still denied, this indicates that device installation is allowed but another layer (removable storage policy or device control default deny) is blocking access.

7. Re‑test with a minimal policy

• For one test machine:
  • Apply a simplified device control configuration: a deny‑all removable media policy plus a single allow group containing the new SanDisk device’s exact InstancePathId.
  • Ensure that group is excluded from the deny‑all policy.
  • Reinsert the device and verify access.
• If the device works under this minimal policy, the issue is likely due to additional GPOs or overlapping device control policies in the production configuration.

8. Consider device installation restrictions if needed

• If the organization also uses device installation restrictions (via GPO or Intune ADMX) to control USB devices:
  • Verify that the new devices’ IDs and setup class GUIDs are not inadvertently blocked.
  • Ensure that any allowlisting by device ID or instance ID is correctly configured and that “Apply layered order” is enabled so allow rules can override broad deny rules.

These steps focus on confirming that the new devices’ exact identifiers are used, that they are properly excluded from the deny‑all policy, and that no overlapping GPO or device installation restriction is overriding the Defender device control allow list.

References:

• Device control in Microsoft Defender for Endpoint
• Device control walkthroughs
• Managing removable devices through Group Policy troubleshooting guidance