Aug 24 2023 10:49 AM
Hi All,
I've got a requirement to configure device control, and I'm having trouble working out the logic and I'm getting quite frustrated with the lack of guidance on it (especially with regards to printers).
I have a set of printers that are allowed (Uniflow, PDF and all printers on the corp network defined by network name). I want to block all other printers, except for members of an Azure AD Group.
There is a DefaultEnforcement of deny configured. The other policies successfully allow the required printers, however it is the group defined allow that seems to fail.
Should this code achieve it?
<PolicyRule Id="{b11f0734-8029-4c90-aff0-95dfc0354584}">
<!-- Allow All Printers for members of allowprinters -->
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb11f0734-8029-4c90-aff0-95dfc0354584%7d/RuleData -->
<Name>Allow All Printers</Name>
<IncludedIdList>
<GroupId>{6505f4e3-57e5-41d8-9eeb-864f3a7206f9}</GroupId> <!-- Specifies a group that only contains Primary ID PrinterDevices -->
</IncludedIdList>
<ExcludedIdList>
<GroupId>{e5170dfb-19a9-4466-8109-d36c9c912b4e}</GroupId> <!-- specifies a group that contains type: Device printers on a matchAny. This group is allowed to print in another policy-->
<GroupId>{83d4b74a-af7c-4399-812c-fb9037e2c2b7}</GroupId> <!-- specifies a group that contains type: Network printers on a matchAny. This group is allowed to print in another policy-->
</ExcludedIdList>
<Entry Id="{5d660ff3-a19f-47ae-8779-ca6a989d9780}">
<Type>Allow</Type>
<Options>0</Options>
<AccessMask>64</AccessMask>
<Sid>12334455-4444-4444-00000000</Sid> <!--SID of my Azure AD Group-->
</Entry>
<Entry Id="{f9f6d219-1332-4c64-b6cb-2e14c65cd243}">
<Type>AuditAllowed</Type>
<Options>2</Options>
<AccessMask>64</AccessMask>
<Sid>12334455-4444-4444-00000000</Sid>
</Entry>
<Entry Id="{ab7629ed-d989-4074-9662-773112b171cd}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>64</AccessMask>
</Entry>
<Entry Id="{6b9cf286-ec70-4463-bfaf-29f32bb5f0dc}">
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>64</AccessMask>
</Entry>
</PolicyRule>
I believe it's hitting the default deny because there is no user feedback (no notification, which I require). I couldn't see a way of making that notify, hence the denies in this policy.
I can't find anywhere that tells me the heirarchy of the allow/deny? Which takes precedence? It's probably I don't need to exlude the other groups in here, but I will the denies here override the working allow policies?