Forum Discussion

MCT

Mar 07, 2022

Device Control Printer Protection - Blocks Print to PDF

When using the OMA URI policy ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl to block printing via non-corporate printers. It is observed it blocks Print to PDF and Print to XPS function. ...

Tewang_Chen

Microsoft

Jan 20, 2023

No, the above setting will block 'PDF/XPS' or any network printer.
Please do not use this https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection?view=o365-worldwide, we added note on this doc: If you want to manage printers, see Microsoft Defender for Endpoint Device Control Printer Protection.

you should use: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection-overview?view=o365-worldwide. About how to manage 'PDF', you can search PDF on the doc, the doc explains which policy attribute you can use.
- "File: Microsoft Print to PDF or Microsoft XPS Document Writer. To enforce Microsoft Print to PDF only, use the FriendlyNameId value 'Microsoft Print to PDF'."

Wallace4444

Copper Contributor

Feb 01, 2023

Tewang_Chen

We have an issue where the "Enable Device Control Printing Restrictions" is set to Disabled (we don't want to manage printers...), but because we have the "Device Control Default Enforcement Policy" set to Default Deny, it blocks all printers anyway.

We have added a new device group into our groups XML (with every imaginable type of printer listed but can't seem to get it to work.

	    <MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>PrinterDevices</PrimaryId>
			<PrinterConnectionId>Corporate</PrinterConnectionId>
			<PrinterConnectionId>Network</PrinterConnectionId>
			<FriendlyNameId>Microsoft XPS Document Writer</FriendlyNameId>
			<FriendlyNameId>Adobe PDF</FriendlyNameId>
			<FriendlyNameId>Microsoft Print to PDF</FriendlyNameId>
		</DescriptorIdList>

This seems to only affect Windows 10 22h2, our Windows 11 devices appear to be functioning fine.