Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Device Control Printer Protection - Blocks Print to PDF

Copper Contributor

When using the OMA URI policy  ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl to block printing via non-corporate printers. It is observed it blocks Print to PDF and Print to XPS function.

 

Using the Application Guard Security Policy under ASR does not provide the required exclusion.

 

Does anyone have any idea how to resolve.

 

Thanks

22 Replies
Whoa 112 views and no replies, guess, if i fix this i will be solving a big problem. Seems no one has a fix.

@effjaay 

I've just come across this same exact issue and I'm looking into possible solutions..  I'm really concerned there may not be a way to exempt them, simply based on the way the policy written...

 

I'll keep you posted.

 

Thanks,

 

-Corey

I have had NO luck trying to get this working, you make any progress?
same here, no luck.

Np luck here either. Microsoft allows for exceptions for USB VID/PID but what about everything else?

@Gineok630 and @effjaay 

I am looking into this as well, utilizing the PID/VIDs works as expected on printers but have had no luck finding a way to allow for Print to PDF or OneNote, Wanted to see if you two or anyone else has had any luck. 

 

Thanks! 

We're also experiencing the same issue - I've opened a ticket with MS.
Thank you for the update, i currently have a case open with MS as well.
any respond on that? facing the same issue.

@MaximilianMueller1018 short answer no help with current OS and build but a little more info below from MS..... 

 

- If you are using Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs: yeah, ‘print to PDF’/’print to XPS’ is not supported, because of the technical limitation, we can not support this.
- Because of this gap and several other gaps, we are currently working on a new feature called ‘Printer Protection V2’, which will close this gap.
- Currently this feature is in private preview.

- Different from the V1, the V2 includes two parts: media group and policy. You can create any printer groups, e.g. group_1 for USB Printer, group_2 for ‘print to PDF/XPS’, group_3 for network printer. And then you can create policy to restrict each printer group, for example, overall BLOCK but allow group_1 and group_2 in any conditional and allow group_3 if the enduser is using corporate network or VPN. And you can also mark for allowed printer, have file information (file path), even have a copy of the printed file as evidence.

- V1 is purely powered by OS, but V2 is based on OS and MDE/Defender (passive mode will also work).

- For the private preview, you will need to install specific Windows 11 build/Windows insider Program, we are currently working on backporting.

@TSMasonHQ642 

 

thanks for the advanced reply!

any ETA on public availability?
Hi, please do not use the V1 Printer Protection solution, the V2 has passed the Private Preview/code has been released to production, we are currently working to update the public doc/should be released in Jan.
Where can we find V2? Is there an intune setting catalog?

@SecD3 , the V2 code has been released to production for a while, but because of holiday, the public document update has been delayed. V2 OMA-URI and GPO support has been released and Intune UX is in progress.

@Tewang_Chen So if we use Group Policy and Enable the "Enable Device Control Printer Restrictions" policy, how do we exclude "Microsoft Print to PDF"?  It looks like documentation was updated on 1/10/23 but I'm not seeing this addressed.  I see a in the requirements "If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined" I guess that is probably what is preventing it from working in our environment?  We don't have our workstations Onboarded to Defender.

No, the above setting will block 'PDF/XPS' or any network printer.
Please do not use this https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection?view=o..., we added note on this doc: If you want to manage printers, see Microsoft Defender for Endpoint Device Control Printer Protection.

you should use: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection-overvi.... About how to manage 'PDF', you can search PDF on the doc, the doc explains which policy attribute you can use.
- "File: Microsoft Print to PDF or Microsoft XPS Document Writer. To enforce Microsoft Print to PDF only, use the FriendlyNameId value 'Microsoft Print to PDF'."

Thank you for the quick response.

@Tewang_Chen 

We have an issue where the "Enable Device Control Printing Restrictions" is set to Disabled (we don't want to manage printers...), but because we have the "Device Control Default Enforcement Policy" set to Default Deny, it blocks all printers anyway.

 

We have added a new device group into our groups XML (with every imaginable type of printer listed but can't seem to get it to work.

	    <MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>PrinterDevices</PrimaryId>
			<PrinterConnectionId>Corporate</PrinterConnectionId>
			<PrinterConnectionId>Network</PrinterConnectionId>
			<FriendlyNameId>Microsoft XPS Document Writer</FriendlyNameId>
			<FriendlyNameId>Adobe PDF</FriendlyNameId>
			<FriendlyNameId>Microsoft Print to PDF</FriendlyNameId>
		</DescriptorIdList>

This seems to only affect Windows 10 22h2, our Windows 11 devices appear to be functioning fine.