ADML/ADMX update for new Device control settings

WindowsDefender.adml

@@ -474,6 +474,12 @@
     If you enable or do not configure this setting, heuristics will be enabled.
 
     If you disable this setting, heuristics will be disabled.</string>
+    <string id="Scan_DisablePackedExeScanning">Scan packed executables</string>
+    <string id="Scan_DisablePackedExeScanning_Explain">This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
+
+    If you enable or do not configure this setting, packed executables will  be scanned.
+
+    If you disable this setting, packed executables will not be scanned.</string>
     <string id="Scan_DisableRemovableDriveScanning">Scan removable drives</string>
     <string id="Scan_DisableRemovableDriveScanning_Explain">This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
 
@@ -1113,18 +1119,43 @@
     <string id="DeviceControl_DataDuplicationRemoteLocation">Define Device Control evidence data remote location</string>
     <string id="DeviceControl_DataDuplicationRemoteLocation_Explain">
         Define evidence file remote location, where Device Control service will move evidence data captured.
+    </string>
+	<string id="DeviceControl_DataDuplicationLocalRetentionPeriod">Set the retention period for files in the local device control cache</string>
+    <string id="DeviceControl_DataDuplicationLocalRetentionPeriod_Explain">
+        This policy setting determines how long device control retains files for evidence in its local cache on the device. Device control keeps a file in its local cache only if it is unable to upload the file to a designated network share or Azure storage. 
+
+        By default, device control retains files in its local cache for 60 days.
+    </string>
+	<string id="DeviceControl_SecuredDevicesConfiguration">Turn on device control for specific device types</string>
+    <string id="DeviceControl_SecuredDevicesConfiguration_Explain">
+        This policy setting controls which device types, identified by their PrimaryIds, will have device control protection turned on. If you enable this setting for certain device types, device control will regulate access to those devices based on the corresponding custom policy. Device control will be turned off for all other types of supported devices, even if custom protection policies are configured for those devices.
+
+        This setting currently supports these device types: RemovableMediaDevices, CdRomDevices, WpdDevices, and PrinterDevices. 
+
+        If you enable this policy setting but do not specify any PrimaryIds, device control will be turned off across all supported device types.
+
+        If you disable or don’t configure this policy setting, device control will be enforced on all supported devicesbased on their corresponding custom policies.
     </string>
     <string id="Features_DeviceControlEnabled">Device Control</string>
     <string id="DeviceControl_DeviceControlEnabled_Explain">
         Enable or Disable Defender Device Control on this machine.
         Note: You must be enrolled as E3 or E5 in order for Device Control to be enabled.
     </string>
     <string id="Features_TDTFeatureEnabled">Intel TDT Integration Level</string>
-    <string id="Features_TDTFeatureEnabled_Explain">This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+    <string id="Features_TDTFeatureEnabled_Explain">This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
+
+        If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.
 
-        If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
+        If you configure this setting to disabled, Intel TDT integration will turn off.</string>
+    <string id="Features_PassiveRemediation">Enable EDR in block mode</string>
+    <string id="Features_PassiveRemediation_Explain">This policy setting enables or disables EDR in block mode (also known as "passive remediation"). EDR in block mode is recommended for devices running Microsoft Defender Antivirus in passive mode. Available with platform release: 4.18.2202.X
 
-        If you configure this setting to disabled, Intel TDT integration will be turned off.</string>
+        The data type is integer
+
+        Supported values:
+
+        1: Turn EDR in block mode on
+        0: Turn EDR in block mode off</string>
     </stringTable>
     <presentationTable>
     <presentation id="ProxyBypass">
@@ -1332,6 +1363,14 @@
     <textBox refId="DeviceControl_DataDuplicationRemoteLocation">
         <label>Define the Device Control data duplication remote location.</label>
     </textBox>
+    </presentation>
+	<presentation id="DeviceControl_DataDuplicationLocalRetentionPeriod">
+		<decimalTextBox refId="DeviceControl_DataDuplicationLocalRetentionPeriod" defaultValue="60">Set the retention period for files in the local device control cache</decimalTextBox>
+    </presentation>
+	<presentation id="DeviceControl_SecuredDevicesConfiguration">
+    <textBox refId="DeviceControl_SecuredDevicesConfiguration">
+        <label>Turn on device control for specific device types</label>
+    </textBox>
     </presentation>
    </presentationTable>
 </resources>

WindowsDefender.admx

@@ -117,8 +117,21 @@
             <elements>
                 <text id="DeviceControl_DataDuplicationRemoteLocation" valueName="DataDuplicationRemoteLocation" required="true" />
             </elements>
+        </policy>				
+		<policy name="DeviceControl_DataDuplicationLocalRetentionPeriod" class="Machine" displayName="$(string.DeviceControl_DataDuplicationLocalRetentionPeriod)" explainText="$(string.DeviceControl_DataDuplicationLocalRetentionPeriod_Explain)" key="Software\Policies\Microsoft\Windows Defender\Device Control" presentation="$(presentation.DeviceControl_DataDuplicationLocalRetentionPeriod)">
+            <parentCategory ref="DeviceControl" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS1" />
+            <elements>
+                <decimal id="DeviceControl_DataDuplicationLocalRetentionPeriod" valueName="DataDuplicationLocalRetentionPeriod" minValue="0" maxValue="10000"  required="true"/>
+            </elements>
+        </policy>
+		<policy name="DeviceControl_SecuredDevicesConfiguration" class="Machine" displayName="$(string.DeviceControl_SecuredDevicesConfiguration)" explainText="$(string.DeviceControl_SecuredDevicesConfiguration_Explain)" key="Software\Policies\Microsoft\Windows Defender\Device Control" presentation="$(presentation.DeviceControl_SecuredDevicesConfiguration)">
+            <parentCategory ref="DeviceControl" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS1" />
+            <elements>
+                <text id="DeviceControl_SecuredDevicesConfiguration" valueName="SecuredDevicesConfiguration" />
+            </elements>
         </policy>
-
         <policy name="DisableAutoExclusions" class="Machine" displayName="$(string.DisableAutoExclusions)" explainText="$(string.DisableAutoExclusions_Explain)" key="Software\Policies\Microsoft\Windows Defender\Exclusions" valueName="DisableAutoExclusions">
             <parentCategory ref="Exclusions" />
             <supportedOn ref="windows:SUPPORTED_Windows_10_0_SERVER" />
@@ -813,6 +826,16 @@
                 <decimal value="1" />
             </disabledValue>
         </policy>
+        <policy name="Scan_DisablePackedExeScanning" class="Machine" displayName="$(string.Scan_DisablePackedExeScanning)" explainText="$(string.Scan_DisablePackedExeScanning_Explain)" key="Software\Policies\Microsoft\Windows Defender\Scan" valueName="DisablePackedExeScanning">
+            <parentCategory ref="Scan" />
+            <supportedOn ref="windows:SUPPORTED_Windows8" />
+            <enabledValue>
+                <decimal value="0" />
+            </enabledValue>
+            <disabledValue>
+                <decimal value="1" />
+            </disabledValue>
+        </policy>
         <policy name="Scan_DisableRemovableDriveScanning" class="Machine" displayName="$(string.Scan_DisableRemovableDriveScanning)" explainText="$(string.Scan_DisableRemovableDriveScanning_Explain)" key="Software\Policies\Microsoft\Windows Defender\Scan" valueName="DisableRemovableDriveScanning">
             <parentCategory ref="Scan" />
             <supportedOn ref="windows:SUPPORTED_Windows8" />
@@ -1424,7 +1447,7 @@
             </disabledValue>
         </policy>
         <policy name="ExploitGuard_EnableNetworkProtection" class="Machine" displayName="$(string.ExploitGuard_EnableNetworkProtection)" explainText="$(string.ExploitGuard_EnableNetworkProtection_Explain)" key="Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" valueName="EnableNetworkProtection" presentation="$(presentation.ExploitGuard_EnableNetworkProtection)">
-            "<parentCategory ref="ExploitGuard_NetworkProtection" />
+            <parentCategory ref="ExploitGuard_NetworkProtection" />
             <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS3" />
             <elements>
             <enum id="ExploitGuard_EnableNetworkProtection" valueName="EnableNetworkProtection" required="true">
@@ -1517,5 +1540,15 @@
                 <decimal value="2" />
             </disabledValue>
         </policy>
+        <policy name="Features_PassiveRemediation" class="Machine" displayName="$(string.Features_PassiveRemediation)" explainText="$(string.Features_PassiveRemediation_Explain)" key="Software\Policies\Microsoft\Windows Defender\Features" valueName="PassiveRemediation">
+            <parentCategory ref="Features" />
+            <supportedOn ref="windows:SUPPORTED_Windows8" />
+            <enabledValue>
+                <decimal value="1" />
+            </enabledValue>
+            <disabledValue>
+                <decimal value="0" />
+            </disabledValue>
+        </policy>
     </policies>
 </policyDefinitions>