Device Control - Printer and USB

Copper Contributor

Hi All,

 

I've got a requirement to configure device control, and I'm having trouble working out the logic and I'm getting quite frustrated with the lack of guidance on it (especially with regards to printers).

 

I have a set of printers that are allowed (Uniflow, PDF and all printers on the corp network defined by network name).  I want to block all other printers, except for members of an Azure AD Group.  

 

There is a DefaultEnforcement of deny configured.  The other policies successfully allow the required printers, however it is the group defined allow that seems to fail.

 

Should this code achieve it?

<PolicyRule Id="{b11f0734-8029-4c90-aff0-95dfc0354584}">
	<!-- Allow All Printers for members of allowprinters -->
   <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb11f0734-8029-4c90-aff0-95dfc0354584%7d/RuleData -->

	<Name>Allow All Printers</Name>
	<IncludedIdList>
		<GroupId>{6505f4e3-57e5-41d8-9eeb-864f3a7206f9}</GroupId>    <!-- Specifies a group that only contains Primary ID PrinterDevices -->
	</IncludedIdList>
    <ExcludedIdList>
        <GroupId>{e5170dfb-19a9-4466-8109-d36c9c912b4e}</GroupId>   <!-- specifies a group that contains type: Device printers on a matchAny.  This group is allowed to print in another policy-->
        <GroupId>{83d4b74a-af7c-4399-812c-fb9037e2c2b7}</GroupId>   <!-- specifies a group that contains type: Network printers on a matchAny.  This group is allowed to print in another policy-->
	</ExcludedIdList>

     <Entry Id="{5d660ff3-a19f-47ae-8779-ca6a989d9780}"> 
        <Type>Allow</Type>
        <Options>0</Options>
        <AccessMask>64</AccessMask>
        <Sid>12334455-4444-4444-00000000</Sid>  <!--SID of my Azure AD Group-->
    </Entry>

    <Entry Id="{f9f6d219-1332-4c64-b6cb-2e14c65cd243}"> 
        <Type>AuditAllowed</Type>
        <Options>2</Options>
        <AccessMask>64</AccessMask>
        <Sid>12334455-4444-4444-00000000</Sid>
    </Entry>
    <Entry Id="{ab7629ed-d989-4074-9662-773112b171cd}">
      <Type>Deny</Type>
      <Options>0</Options>
      <AccessMask>64</AccessMask>
   </Entry>
   <Entry Id="{6b9cf286-ec70-4463-bfaf-29f32bb5f0dc}">
      <Type>AuditDenied</Type>
      <Options>3</Options>
      <AccessMask>64</AccessMask>
   </Entry>
</PolicyRule>

 

I believe it's hitting the default deny because there is no user feedback (no notification, which I require). I couldn't see a way of making that notify, hence the denies in this policy.  

 

I can't find anywhere that tells me the heirarchy of the allow/deny?  Which takes precedence?  It's probably I don't need to exlude the other groups in here, but I will the denies here override the working allow policies?  

 

 

 

 

0 Replies