device_control_policy_schema.json throws errors with the object type when I tried to use on JAMF

GPO 'Define Device Control Evidence Data Remote Location' does not appear to function.

When configured, workstations with access 8 and mask 16 only copy evidence data - files written to removable media - locally to 'C:\Windows\Defender Duplication Data'

Defender engine 4.18.2202.4
Windows 10 21H2 Enterprise
GPO setting is successfully written to registry HKLM:\Software\Policies\Microsoft\Windows Defender\Device Control\DefaultDuplicationRemoteLocation'

I have tried configuring SMB shares and specifying GPO as a UNC path ( I assume this is what is required, given the setting has absolutely no documentation or description within the GPO's adml file or this Repo, but that results in no change in behaviour. Endpoint devices will successfully create 'duplicates' of files written to removable media locally, but not to any 'remote path' specified in this GPO.

There's also no errors or issues recorded in MPDeviceControl.log on the endpoint to suggest any attempts yet alone issues with it attempting to copy evidence data to remote location.

Hi, I am currently working on project to enable the device control using GPOs and the documentation / steps is not clear / complete. Will there be any updates to this in near future?

Hello,

I got this working and it’s really cool, however when you use the audit it doesn't seem to capture the files/folder. Is this a bug on my side or is it something that will come in the future?

Hello all...

I am trying to use an Azure AD group SID for an allow option and it does not work.
I have used my local user SID to verify the rule syntax and it worked ok.

Any idea's?
Thanks

Attached error after copying the latest files from this repo into the Policy Definitions folder.

Even opened the existing ADMX/ADMX files and saved as new copies in notepad as per README but still fails.

Hi,

Thanks for reading this issue! Hopefully this is monitored by someone.

TL;DR

Unable to block Bluetooth globally and/or Bluetooth sending files using the sample provided json.

Steps to Repro:

1. Apply the sample for MacOS under:

macOS/policy/samples/deny_all_bluetooth_devices_except_samsung.json

e.g. Manual policy apply command:

mdatp config device-control policy set --path macOS/policy/samples/deny_all_bluetooth_devices_except_samsung.json

Expected output:

Configuration property updated.

2. Open Bluetooth file exchange app (native macOS app)

3. Select files you desire to transfer

4. Files are successfully transfer to any device

Steps to Repro global exclusion:

1. Download sample under:

macOS/policy/samples/deny_all_bluetooth_devices_except_samsung.json

2. Modify settings.features.bluetoothDevice.disable to equal true and set global default enforcement to deny

e.g.

    "settings": {
        "features": {
            "bluetoothDevice": {
                "disable": true
            },
        },
        "global": {
            "defaultEnforcement": "deny"
        },
        "ux": {
            "navigationTarget": "http://www.microsoft.com"
        }
    }

3. Apply the configuration

e.g. Manual policy apply command:

mdatp config device-control policy set --path macOS/policy/samples/deny_all_bluetooth_devices_except_samsung.json

Expected output:

Configuration property updated.

4. Open Bluetooth file exchange app (native macOS app)

5. Select files you desire to transfer

6. Files are successfully transfer to any device

Thank you!

The following items are referenced in the ADMX but have no association in the ADML file

Reporting_ServiceHealthReportInterval (reported by others at Line 698 of the ADMX - confirmed).

I removed this element and found that these further 2 are also not referenced in the ADML file.

Reporting_EnableDynamicSignatureDroppedEventReporting
Features_TDTFeatureEnabled

The ADML file needs these additional elements defining.

Hi I wanted to load the scheme into JAMF Pro but it seems not to be valid.
I cannot find the error.
Can you help me with that?

Regards

on Printer protection sample's following xml file that use MS internal network name on sample.

https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Corporate%20Network.xml
https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Corporate%20VPN.xml

How about using a fictitious domain such as contoso.com ?

I’m currently facing a challenge with blocking all removable media, except for those that are encrypted. I’ve attempted to adjust the existing JSON example to include the Encryption Clause, but it seems to be ineffective. I would greatly appreciate any assistance or guidance on this matter. If anyone has a working example that I could reference, that would be extremely helpful as well. Thank you in advance for your time and support.

{
"groups": [
{
"$type": "device",
"id": "519a2e50-3bb7-49b7-9ae0-6feb415d58ca",
"name": "All Removable Media Devices",
"query": {
"$type": "all",
"clauses": [
{
"$type": "primaryId",
"value": "removable_media_devices"
}
]
}
}
],
"encryption": {
"title": "Encryption Clause",
"description": "Match if a device is encrypted. (Only supports Removable Media Devices)",
"required": [
"$type",
"value"
],
"additionalProperties": true,
"properties": {
"$type": {
"enum": [
"encryption"
]
},
"value": {
"enum": [
"apfs"
],
"title": "Encryption Type",
"examples": [
"apfs"
]
},
"__comments": {
"type": "string"
}
},
"examples": [
{
"$type": "encryption",
"value": "apfs"
}
]
},
"rules": [
{
"id": "69a4a010-acb1-4573-8a58-50cf4ee7bc7f",
"name": "Deny WX to all Removable Media Devices",
"includeGroups": [
"519a2e50-3bb7-49b7-9ae0-6feb415d58ca"
],
"entries": [
{
"__comments": "Deny Write, and Execute.",
"$type": "removableMedia",
"id": "c7a13940-5c14-49f6-b0fb-b0978bf0f8cc",
"enforcement": {
"$type": "deny"
},
"access": [
"write",
"execute"
]
},
{
"__comments": "Show UX and send events for all blocked operations.",
"$type": "removableMedia",
"id": "ae5672a9-0746-41e7-8c21-63222f1aa304",
"enforcement": {
"$type": "auditDeny",
"options": [
"send_event",
"show_notification"
]
},
"access": [
"read",
"write",
"execute"
]
}
]
}
],
"settings": {
"features": {
"removableMedia": {
"disable": false
}
},
"global": {
"defaultEnforcement": "allow"
},
"ux": {
"navigationTarget": "http://www.microsoft.com"
}
}
}