@Van M, Thanks for posting in Q&A. From your description, I know the policy has deployed to devices successfully. And we get error when enable on the device side. The error message is "The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:".
For this error, based on my researching, it seems windows has detected an attached Direct memory access (DMA)-capable device that might expose a DMA threat. Please verify that the device has no external DMA ports with the original equipment manufacturer (OEM). And add the device to the allowed list to see if it works.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.