The idea is for an action to target all windows endpoints unless they are a member of a specific group
This seems like it should work but fails immediately on the group check:
If {not member of group 219024 of sites}
regset “[hkey_local_machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices]” “Deny_All”=dword:00000001
EndIf
I believe you need to specify which site. Otherwise the singular/plurals will evaluate in error.
group 219024 of sites will expand each site and look for that group in it; only one site may have that group, the other sites would throw a singular error for group 219025 not existing.
hmmm, the site appears to be blank…is that becasue it is a manual group?
Yes, it may take some time before I can look it up, but manual groups are special. Depending on the group options, the client may not even know it’s a member of a manual groups - those are evaluated at the console, not at the client.
I believe there’s something similar to a client setting that can be checked for some manual groups, if an “evaluated at client” option is set for it.