This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Controlled Device-Gattung

Hi,
 
I have a problem, I use the Endpoint Protection (Enterprise Console)  since 15 years, it works in most cases well.
 
I've been having the problem for several months that computers report such errors like this:
 
"A device control event occurred on machine BUCH-14 when user NT-AUTORITÄT\Lokaler Dienst was logged on.

Controlled Device-Gattung 'Optische Laufwerke (CD/DVD)' erkannt: deviceId=IDE\CDROMTSSTCORP_CDDVDW_TS-L633B________________LEW1____\5&68882C2&0&0.0.0"
 
And I don't know why. This device (Hardware) is not in the machine(!).
 
I have 250 clients, I tried some help from Sophos support, unfortunately unsuccessfull :-(
 
I can delete the entry in the device manager, but the error come back after a reboot.
 
Is somebody here who can help me?
 
Thanks


This thread was automatically locked due to age.
  • Hello Philippe Roussel,

    This device (Hardware) is not in the machine(!)
    but apparently Windows thinks it's there. I assume the computers have a CD/DVD drive - is this TSST drive in Device Manager an extra drive (in addition to the correct existing hardware)? The setupapi.dev.log and setupapi.app.log in %windir%\inf\ might provide some insight.

    What are your Device Control policy settings for Optische Laufwerke? Is there a problem apart from the unexpected event?

    Christian

  • maybe it's a virtual drive?

    a bit of software that has been installed, even though there is no hardware installed.

    there is also the Microsoft Virtual drive when accessing an ISO file, the OS will mount the ISO as an Optical drive.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Hello QC, hello Argo,

    thank you for your answer. The machine was installed from an image (ISO-file), because when I have to install a lot of computers, it's faster with an image, maybe that's the reason.

    The Device Control Policy for Optische Laufwerke is set so that access is not allowed (like USB-Key too).

    In the setupapi.dev.log (after I have deleted the device from the device manager) I found this entry:

    -----------------------------

    [Boot Session: 2019/01/04 07:08:38.500]

    >>>  [Device Installation Restrictions Policy Check]
    >>>  Section start 2019/01/04 07:09:04.232
    <<<  Section end 2019/01/04 07:09:21.279
    <<<  [Exit status: SUCCESS]


    >>>  [Device Uninstall (Device Manager) - IDE\CDROMTSSTCORP_CDDVDW_TS-L633B________________LEW1____\5&68882C2&0&0.0.0]
    >>>  Section start 2019/01/04 07:10:44.980
          cmd: "C:\WINDOWS\system32\mmc.exe" C:\WINDOWS\system32\devmgmt.msc
         dvi: {DIF_REMOVE} 07:10:44.981
         dvi:      Default installer: Enter 07:10:44.997
         dvi:           {Remove DEVICE}
         dvi:           {Remove DEVICE exit (0x00000000)}
         dvi:      Default installer: Exit
         dvi: {DIF_REMOVE - exit(0x00000000)} 07:10:45.013
    <<<  Section end 2019/01/04 07:10:45.028
    <<<  [Exit status: SUCCESS]

    -----------------------------

    The OS is Windows 10 Pro

  • Hello Philippe Roussel,

    [I'm not a Windows Device Management expert]
    AFAIK an uninstalled device reappears after reboot because either

    1. the physical device is present, detected and installed
    2. a driver is installed that presents one or more devices (e.g. virtual DVD drives)
    3. the boot image is frozen

    Can't think of other reasons right now, there might be more.
    I'd rule out 3., you'd have mentioned it. Also 1. shouldn't apply as you say there's no such drive in the computers. Leaves 2. Did the computer used to create the image have such a TSST drive? When you uninstalled, did the confirmation pop-up offer the option to delete the driver package?

    Christian

  • Hi,

    yes, the computer used to create the image have such a TSST drive. I will be trying to deinstall the driver package, I must looking where it's installed.

    And no, when I delete the drive, I don't have any confirmation pop-up :-(

    Thank you for your help, I'll get back to you as soon as I get the results.