@Gineok630 and @effjaay 

I am looking into this as well, utilizing the PID/VIDs works as expected on printers but have had no luck finding a way to allow for Print to PDF or OneNote, Wanted to see if you two or anyone else has had any luck. 

Thanks! 

@MaximilianMueller1018 short answer no help with current OS and build but a little more info below from MS..... 

- If you are using Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs: yeah, ‘print to PDF’/’print to XPS’ is not supported, because of the technical limitation, we can not support this.
- Because of this gap and several other gaps, we are currently working on a new feature called ‘Printer Protection V2’, which will close this gap.
- Currently this feature is in private preview.

- Different from the V1, the V2 includes two parts: media group and policy. You can create any printer groups, e.g. group_1 for USB Printer, group_2 for ‘print to PDF/XPS’, group_3 for network printer. And then you can create policy to restrict each printer group, for example, overall BLOCK but allow group_1 and group_2 in any conditional and allow group_3 if the enduser is using corporate network or VPN. And you can also mark for allowed printer, have file information (file path), even have a copy of the printed file as evidence.

- V1 is purely powered by OS, but V2 is based on OS and MDE/Defender (passive mode will also work).

- For the private preview, you will need to install specific Windows 11 build/Windows insider Program, we are currently working on backporting.

@TSMasonHQ642 

thanks for the advanced reply!

@SecD3 , the V2 code has been released to production for a while, but because of holiday, the public document update has been delayed. V2 OMA-URI and GPO support has been released and Intune UX is in progress.

@Tewang_Chen So if we use Group Policy and Enable the "Enable Device Control Printer Restrictions" policy, how do we exclude "Microsoft Print to PDF"?  It looks like documentation was updated on 1/10/23 but I'm not seeing this addressed.  I see a in the requirements "If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined" I guess that is probably what is preventing it from working in our environment?  We don't have our workstations Onboarded to Defender.

@Tewang_Chen 

We have an issue where the "Enable Device Control Printing Restrictions" is set to Disabled (we don't want to manage printers...), but because we have the "Device Control Default Enforcement Policy" set to Default Deny, it blocks all printers anyway.

We have added a new device group into our groups XML (with every imaginable type of printer listed but can't seem to get it to work.

	    <MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrimaryId>PrinterDevices</PrimaryId>
			<PrinterConnectionId>Corporate</PrinterConnectionId>
			<PrinterConnectionId>Network</PrinterConnectionId>
			<FriendlyNameId>Microsoft XPS Document Writer</FriendlyNameId>
			<FriendlyNameId>Adobe PDF</FriendlyNameId>
			<FriendlyNameId>Microsoft Print to PDF</FriendlyNameId>
		</DescriptorIdList>

This seems to only affect Windows 10 22h2, our Windows 11 devices appear to be functioning fine.