Mar 07 2022 09:13 AM
Mar 07 2022 09:13 AM
When using the OMA URI policy ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl to block printing via non-corporate printers. It is observed it blocks Print to PDF and Print to XPS function.
Using the Application Guard Security Policy under ASR does not provide the required exclusion.
Does anyone have any idea how to resolve.
Mar 29 2022 07:59 PM
Apr 07 2022 01:40 PM
I've just come across this same exact issue and I'm looking into possible solutions.. I'm really concerned there may not be a way to exempt them, simply based on the way the policy written...
I'll keep you posted.
Jun 14 2022 10:31 PM
Np luck here either. Microsoft allows for exceptions for USB VID/PID but what about everything else?
Jul 11 2022 08:32 AM
Oct 17 2022 07:21 AM
@MaximilianMueller1018 short answer no help with current OS and build but a little more info below from MS.....
- If you are using Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs: yeah, ‘print to PDF’/’print to XPS’ is not supported, because of the technical limitation, we can not support this.
- Because of this gap and several other gaps, we are currently working on a new feature called ‘Printer Protection V2’, which will close this gap.
- Currently this feature is in private preview.
- Different from the V1, the V2 includes two parts: media group and policy. You can create any printer groups, e.g. group_1 for USB Printer, group_2 for ‘print to PDF/XPS’, group_3 for network printer. And then you can create policy to restrict each printer group, for example, overall BLOCK but allow group_1 and group_2 in any conditional and allow group_3 if the enduser is using corporate network or VPN. And you can also mark for allowed printer, have file information (file path), even have a copy of the printed file as evidence.
- V1 is purely powered by OS, but V2 is based on OS and MDE/Defender (passive mode will also work).
- For the private preview, you will need to install specific Windows 11 build/Windows insider Program, we are currently working on backporting.
Dec 14 2022 04:01 PM
Jan 03 2023 07:42 AM
@SecD3 , the V2 code has been released to production for a while, but because of holiday, the public document update has been delayed. V2 OMA-URI and GPO support has been released and Intune UX is in progress.
Jan 20 2023 07:45 AM - edited Jan 20 2023 07:48 AM
@Tewang_Chen So if we use Group Policy and Enable the "Enable Device Control Printer Restrictions" policy, how do we exclude "Microsoft Print to PDF"? It looks like documentation was updated on 1/10/23 but I'm not seeing this addressed. I see a in the requirements "If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined" I guess that is probably what is preventing it from working in our environment? We don't have our workstations Onboarded to Defender.
Jan 20 2023 09:46 AM
Feb 01 2023 04:58 PM
We have an issue where the "Enable Device Control Printing Restrictions" is set to Disabled (we don't want to manage printers...), but because we have the "Device Control Default Enforcement Policy" set to Default Deny, it blocks all printers anyway.
We have added a new device group into our groups XML (with every imaginable type of printer listed but can't seem to get it to work.
<MatchType>MatchAny</MatchType> <DescriptorIdList> <PrimaryId>PrinterDevices</PrimaryId> <PrinterConnectionId>Corporate</PrinterConnectionId> <PrinterConnectionId>Network</PrinterConnectionId> <FriendlyNameId>Microsoft XPS Document Writer</FriendlyNameId> <FriendlyNameId>Adobe PDF</FriendlyNameId> <FriendlyNameId>Microsoft Print to PDF</FriendlyNameId> </DescriptorIdList>
This seems to only affect Windows 10 22h2, our Windows 11 devices appear to be functioning fine.