After upgrading SEP and updating the windows agents, the device control policies stopped working.

If the older pre-upgrade agent (Version 14.2 MP1) does not get updated, the Device Control Policy still works. Once they update the agent to 14.3 RU5 or 14.3 RU6 the Device Control Policy no longer enforces and allows access to USB drives.

In summary, this only happens when upgrading from SEP Client versions 14.2 MP1 to 14.3 RU5 or 14.3 RU6.

Windows 11 Professional Edition with agent 14.3 RU5 and 14.3 RU6

Windows 10 Professional Edition with agent 14.3 RU5 and 14.3 RU6

SEP Version 14.3 RU6

Customer had agents enrolled in the cloud but the device control policy for the cloud was not configured.

After comparing the logs from the older agent and the new I noticed that the new agents were connecting to the cloud and had the Cloud Application Hardening feature enabled.

New agents were enrolled in the cloud however the Default Device Control policy in ICDm was not configured or assigned to the Default group.  If the agents are enrolled in a hybrid environment, the new agents will pull the device control rules from the Default group assigned in ICDm.

Configure the Device Control Policy in ICDm and assign it to the groups associated with the new agents.