Device Control - Printer and USB

Copper Contributor

Hi All,


I've got a requirement to configure device control, and I'm having trouble working out the logic and I'm getting quite frustrated with the lack of guidance on it (especially with regards to printers).


I have a set of printers that are allowed (Uniflow, PDF and all printers on the corp network defined by network name).  I want to block all other printers, except for members of an Azure AD Group.  


There is a DefaultEnforcement of deny configured.  The other policies successfully allow the required printers, however it is the group defined allow that seems to fail.


Should this code achieve it?

<PolicyRule Id="{b11f0734-8029-4c90-aff0-95dfc0354584}">
	<!-- Allow All Printers for members of allowprinters -->
   <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb11f0734-8029-4c90-aff0-95dfc0354584%7d/RuleData -->

	<Name>Allow All Printers</Name>
		<GroupId>{6505f4e3-57e5-41d8-9eeb-864f3a7206f9}</GroupId>    <!-- Specifies a group that only contains Primary ID PrinterDevices -->
        <GroupId>{e5170dfb-19a9-4466-8109-d36c9c912b4e}</GroupId>   <!-- specifies a group that contains type: Device printers on a matchAny.  This group is allowed to print in another policy-->
        <GroupId>{83d4b74a-af7c-4399-812c-fb9037e2c2b7}</GroupId>   <!-- specifies a group that contains type: Network printers on a matchAny.  This group is allowed to print in another policy-->

     <Entry Id="{5d660ff3-a19f-47ae-8779-ca6a989d9780}"> 
        <Sid>12334455-4444-4444-00000000</Sid>  <!--SID of my Azure AD Group-->

    <Entry Id="{f9f6d219-1332-4c64-b6cb-2e14c65cd243}"> 
    <Entry Id="{ab7629ed-d989-4074-9662-773112b171cd}">
   <Entry Id="{6b9cf286-ec70-4463-bfaf-29f32bb5f0dc}">


I believe it's hitting the default deny because there is no user feedback (no notification, which I require). I couldn't see a way of making that notify, hence the denies in this policy.  


I can't find anywhere that tells me the heirarchy of the allow/deny?  Which takes precedence?  It's probably I don't need to exlude the other groups in here, but I will the denies here override the working allow policies?  





0 Replies