Merge pull request #657 from MicrosoftDocs/main

Publish main to live, Monday 10:30AM PDT, 06/10

Author: Stacyrch140

defender-endpoint/device-control-deploy-manage-intune.md

@@ -91,11 +91,9 @@ In the following table, identify the setting you want to configure, and then use
 
 | Setting | OMA-URI, data type, & values |
 |---|---|
-| **Device control default enforcement** <br/>Default enforcement establishes what decisions are made during device control access checks when none of the policy rules match | `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`<br/><br/>Integer: <br/>- `DefaultEnforcementAllow` = `1`<br/>- `DefaultEnforcementDeny` = `2` | 
+| **Device control default enforcement** <br/>Default enforcement establishes what decisions are made during device control access checks when none of the policy rules match | `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`<br/><br/>Integer: <br/>- `DefaultEnforcementAllow` = `1`<br/>- `DefaultEnforcementDeny` = `2` |
 | **Device types** <br/>Device types, identified by their Primary IDs, with device control protection turned on | `./Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration`<br/><br/>String:<br/>- `RemovableMediaDevices`<br/>- `CdRomDevices`<br/>- `WpdDevices`<br/>- `PrinterDevices` |
 | **Enable device control** <br/>Enable or disable device control on the device | `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`<br/><br/>Integer:<br/>- Disable = `0`<br/>- Enable = `1` |
-| **Evidence data remote location** <br/>Device control moves evidence data captured | `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`<br/><br/>String |
-| **Local evidence cache duration** <br/>Sets the retention period in days for files in the local device control cache | `./Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod`<br/><br/>Integer <br/>Example: `60` (60 days) |
 
 ### Creating policies with OMA-URI
 

defender-endpoint/device-control-policies.md

@@ -660,26 +660,6 @@ Then the group is then referenced as parameters in an entry, as illustrated in t
        </Entry>
 ```
 
-### File Conditions
-
-The following table describes file group properties:
-
-| Name | Description |
-|---|---|
-| `PathId` | String, value of file path or name. <br/>Wildcards are supported. <br/>Only applicable for file type groups. |
-
-The following table illustrates how properties are added to the `DescriptorIdList` of a file group:
-
-```xml
-
-<Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File" MatchType="MatchAny">
-    <DescriptorIdList>
-        <PathId>*.exe</PathId>
-        <PathId>*.dll</PathId>
-    </DescriptorIdList>
-</Group>
-```
-
 The group is then referenced as parameters in an entry, as illustrated in the following snippet:
 
 ```xml
@@ -734,53 +714,6 @@ The group is then referenced as parameters in an entry, as illustrated in the fo
    </Entry>
 ```
 
-## File evidence
-
-With device control, you can store evidence of files that were copied to removable devices or were printed. When file evidence is enabled, a `RemovableStorageFileEvent` is created. The behavior of file evidence is controlled by options on the Allow action, as described in the following table:
-
-| Option | Description |
-|---|---|
-| `8` | Create a `RemovableStorageFileEvent` event with `FileEvidenceLocation` |
-| `16` | Create a `RemovableStorageFileEvent` without `FileEvidenceLocation` |
-
-The `FileEvidenceLocation` field of has the location of the evidence file, if one is created. The evidence file has a name which ends in `.dup`, and its location is controlled by the `DataDuplicationFolder` setting.
-
-### Storing file evidence in Azure Blob Storage
-
-1. Create an Azure Blob Storage account and container.
-
-2. Create a custom role called `Device Control Evidence Data Provider` for accessing the container.  The role should have the following permissions:
-
-   ```json
-   "permissions": [
-               {
-                   "actions": [
-                       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-                       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
-                       "Microsoft.Storage/storageAccounts/blobServices/read"
-                   ],
-                   "notActions": [],
-                   "dataActions": [
-                       "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
-                       "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
-                   ],
-                   "notDataActions": []
-               }
-           ]
-   ```
-
-   Custom roles can be created via [CLI](/azure/role-based-access-control/custom-roles-cli) or [PowerShell](/azure/role-based-access-control/custom-roles-powershell)
-
-   > [!TIP]
-   > The built-in role, [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles/storage) has delete permissions for the container, which is not required to store device control feature evidence. The built-in role, [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles/storage) lacks the write permissions that are required. This is why a custom role is recommended.
-
-   > [!IMPORTANT]
-   > To ensure that the integrity of the file evidence use [Azure Immutable Storage](/azure/storage/blobs/immutable-storage-overview)
-
-3. Assign the users of device control to the `Device Control Evidence Data Provider` role.
-
-4. Set the `RemoteStorageFileEvent` to the URL of the Azure Blob Storage container.
-
 ## Next steps
 
 - [View device control events and information in Microsoft Defender for Endpoint](device-control-report.md)

defender-endpoint/device-control-report.md

@@ -67,34 +67,6 @@ DeviceEvents
 
 ```
 
-### Example 2: Removable storage file event
-
-If a policy is configured to gather file evidence, then a `RemovableStorageFileEvent` is created. The event is generated for both printers and removable storage devices. Here's an example query you can use with advanced hunting:
-
-```kusto
-
-//information of the evidence file
-DeviceEvents
-| where ActionType contains "RemovableStorageFileEvent"
-| extend parsed=parse_json(AdditionalFields)
-| extend Policy = tostring(parsed.Policy)
-| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
-| extend MediaClassName = tostring(parsed.ClassName)
-| extend MediaInstanceId = tostring(parsed.InstanceId)
-| extend MediaName = tostring(parsed.MediaName)
-| extend MediaProductId = tostring(parsed.ProductId)
-| extend MediaVendorId = tostring(parsed.VendorId)
-| extend MediaSerialNumber = tostring(parsed.SerialNumber)
-| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)
-| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
-| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields
-| order by Timestamp desc
-
-```
-
-> [!NOTE]
-> The `RemovableStorageFileEvent` does not appear immediately after a file is copied to the device. It may take as long as 24 hours to appear.
-
 ## [**Device control report**](#tab/report)
 
 ## Device control report