From 141783ae9ca7045dafdf58828a29b3ef147b54f8 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 12 Feb 2026 10:09:10 +0000
Subject: [PATCH 1/2] [Security] Document device control access levels for
 Windows devices

---
 ...n-integration-policy-for-elastic-defend.md | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md b/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
index fb36c10b6a..9db23fc445 100644
--- a/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
+++ b/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
@@ -272,6 +272,30 @@ By default, each {{kib}} instance includes a Device Control dashboard. When at l
 To collect device control data, {{elastic-defend}} must be updated to at least version 9.2.0. Until you update it to this version, the device control dashboard will not appear and device control events will not be ingested. Device control blocking will still work. 
 :::
 
+### Access levels for Windows devices
+```yaml {applies_to}
+stack: ga 9.4
+serverless: ga
+```
+
+Device control supports the following USB storage access levels:
+
+* **Allow all**
+* **Read only**
+* **Block execute**
+* **Block all**
+
+These access levels apply fully to native Windows volumes (USB mass storage devices), such as USB flash drives and external hard drives. However, Windows Portable Devices, such as smartphones and digital cameras, use a transfer protocol that doesn't support granular access control. For these devices, device control maps access levels as follows:
+
+| Configured access level | Behavior for Windows Portable Devices |
+|-------------------------|---------------------------------------|
+| Allow all               | Allow all                             |
+| Read only               | Block all                             |
+| Block execute           | Block all                             |
+| Block all               | Block all                             |
+
+This means that if you want to allow any access to Windows Portable Devices, you must select **Allow all**. The **Read only** and **Block execute** options block these devices entirely to maintain security when granular control isn't possible.
+
 ## Event collection [event-collection]
 
 In the **Settings** section, select which categories of events to collect on each operating system. Most categories are collected by default.

From 561cf5d79202ff3712de9c7575e8489c3e121fd9 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 12 Feb 2026 10:14:13 +0000
Subject: [PATCH 2/2] +

---
 .../configure-an-integration-policy-for-elastic-defend.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md b/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
index 9db23fc445..472d480c2c 100644
--- a/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
+++ b/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
@@ -274,7 +274,7 @@ To collect device control data, {{elastic-defend}} must be updated to at least v
 
 ### Access levels for Windows devices
 ```yaml {applies_to}
-stack: ga 9.4
+stack: ga 9.4+
 serverless: ga
 ```