Device Control Printer Protection - Blocks Print to PDF

Occasional Contributor

When using the OMA URI policy  ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl to block printing via non-corporate printers. It is observed it blocks Print to PDF and Print to XPS function.


Using the Application Guard Security Policy under ASR does not provide the required exclusion.


Does anyone have any idea how to resolve.



12 Replies
Whoa 112 views and no replies, guess, if i fix this i will be solving a big problem. Seems no one has a fix.


I've just come across this same exact issue and I'm looking into possible solutions..  I'm really concerned there may not be a way to exempt them, simply based on the way the policy written...


I'll keep you posted.





I have had NO luck trying to get this working, you make any progress?
same here, no luck.

Np luck here either. Microsoft allows for exceptions for USB VID/PID but what about everything else?

@Gineok630 and @effjaay 

I am looking into this as well, utilizing the PID/VIDs works as expected on printers but have had no luck finding a way to allow for Print to PDF or OneNote, Wanted to see if you two or anyone else has had any luck. 



We're also experiencing the same issue - I've opened a ticket with MS.
Thank you for the update, i currently have a case open with MS as well.
any respond on that? facing the same issue.

@MaximilianMueller1018 short answer no help with current OS and build but a little more info below from MS..... 


- If you are using Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs: yeah, ‘print to PDF’/’print to XPS’ is not supported, because of the technical limitation, we can not support this.
- Because of this gap and several other gaps, we are currently working on a new feature called ‘Printer Protection V2’, which will close this gap.
- Currently this feature is in private preview.

- Different from the V1, the V2 includes two parts: media group and policy. You can create any printer groups, e.g. group_1 for USB Printer, group_2 for ‘print to PDF/XPS’, group_3 for network printer. And then you can create policy to restrict each printer group, for example, overall BLOCK but allow group_1 and group_2 in any conditional and allow group_3 if the enduser is using corporate network or VPN. And you can also mark for allowed printer, have file information (file path), even have a copy of the printed file as evidence.

- V1 is purely powered by OS, but V2 is based on OS and MDE/Defender (passive mode will also work).

- For the private preview, you will need to install specific Windows 11 build/Windows insider Program, we are currently working on backporting.



thanks for the advanced reply!

any ETA on public availability?