Matthew-Cherry87
commented
2 years ago Case #:30563025
FYI for anyone else, I've been advised by Microsoft's Premier Support team that despite GPOs been included for Evidence Data Collection that they don't work or do anything.... So yeah, apparently the Dev's have included a GPO that does nothing and never tested it either and only realised it doesn't work after a support ticket was logged....
Same too with auditing, while you can deploy and configure RMAC via GPO including auditing you'll have no way of viewing said audit logs within your own environment. No removable media control audit events are recorded in Event Viewer or within Defender's own logs on the client. Instead, audit logs are ONLY accessible via the Defender Endpoint Portal. So in short, if you're running on-premise, or air-gapped environments, while you can 'enable' auditing via GPO it wont do anything as the clients won't record a single audit event locally. Clients will only upload their audit logs to MDM and the Defender Endpoint Portal. So in short, while you can configure and deploy RMAC policies via GPO, half don't work and the other half require MDM.
Of course the devs also don't document any of these limitations or restrictions of managing Defender RMAC locally via GPO. Nah, you got to be like me and only find out once you log premier support tickets and ask why settings included in their provided GPOs either don't work or do nothing. Thus why I've updated this, to save any other customers the effort of banging their heads against a brick wall wondering why settings configured in their GPO RMAC policies seem to either not work or do nothing... So too those customers not fortunate enough to have premier support contracts and the ability to ask Microsoft directly why advertised GPOs don't do anything.
Also don't ask the devs why they'd introduce new functionality into Defender, an out-of-box feature built into Windows, but limit its functionality to requiring MDM. Despite the fact that all historically all aspects of Defender could be managed via GPO/MECM/SCCM/on-premise. Apparently when adding new capabilities to an existing feature of Windows you throw away and disregarded the existing accepted management solutions and arbitrarily restrict. Who cares if the feature could previously be managed entirely on-premise, this is the future and now you need MDM for some of it, but not all of course, but some, and that some will be undocumented just to make life fun for you. And hey, you thought Windows Security and Defender event logs would perhaps log auditing events for Security and Defender, lol you ignorant fool....
GW devs, must be proud.
GPO 'Define Device Control Evidence Data Remote Location' does not appear to function.
When configured, workstations with access 8 and mask 16 only copy evidence data - files written to removable media - locally to 'C:\Windows\Defender Duplication Data'
Defender engine 4.18.2202.4 Windows 10 21H2 Enterprise GPO setting is successfully written to registry HKLM:\Software\Policies\Microsoft\Windows Defender\Device Control\DefaultDuplicationRemoteLocation'
I have tried configuring SMB shares and specifying GPO as a UNC path ( I assume this is what is required, given the setting has absolutely no documentation or description within the GPO's adml file or this Repo, but that results in no change in behaviour. Endpoint devices will successfully create 'duplicates' of files written to removable media locally, but not to any 'remote path' specified in this GPO.
There's also no errors or issues recorded in MPDeviceControl.log on the endpoint to suggest any attempts yet alone issues with it attempting to copy evidence data to remote location.