Deploy and manage using group policy

Applies to:

Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

Licensing requirements

Before you get started with Printer protection, you must confirm your Microsoft 365 subscription. To access and use Printer Protection through group policy, you must have Microsoft 365 E5.

Deploy using group policy

  1. Enable or Disable Device control:

    You can enable or disable Device control as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control.
    • In the Device Control window, select Enabled.

    Screenshot of Enabling RSAC using Group Policy.

    The purpose of this configuration is to temporarily disable device control on specific machine.

    Note

    If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.admx and WindowsDefender.admx) from samples.

    This configuration controls both Removable storage access control Microsoft Defender for Endpoint Device Control Removable Storage Access Control and Printer protection.

  2. Set Default Enforcement:

    You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

    For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement

    • In the Select Device Control Default Enforcement pane, select Default Deny:

    Screenshot of setting Default Enforcement = Deny using Group Policy.

    Note

    This configuration controls both Removable storage access control Microsoft Defender for Endpoint Device Control Removable Storage Access Control and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.

  3. Create one XML file for printer group(s):

    Use the properties in printer group to create one XML file for the printer group(s), save the XML file to network share, and define the setting as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.

    Screenshot of Define device control policy groups.

    • In the Define device control policy groups window, specify the network share file path containing the XML groups data.

    Take a look at the Overview > Group. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: XML file.

    Note

    Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  4. Create one XML file for access policy rule(s):

    Use the properties in printer protection policy rule(s) to create an XML for each group's printer access policy rule, save the XML file to network share, and deliver the setting as follows:

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.

      Screenshot of define device control policy rules.

    • In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

    Take a look at the Overview -> Access policy rule, you can use Parameters to set condition for specific Entry. Here's one example XML file.

    Note

    Comments using XML comment notation <!-- COMMENT --> can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

  5. Set location for a copy of the file (evidence):

    If you want to have a copy of the file (evidence) when Print access happens, set right Options in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy.

    • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define Device Control evidence data remote location.

    • In the Define Device Control evidence data remote location pane, select Enabled, and then specify the local or network share folder path.

      Screenshot of Define Device Control evidence data remote location.

Scenarios

Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is corporate network, VPN connected, or print through PDF/XPS file

Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file.

You can download the files here, Printer Protection Samples.

  1. Create any printer group and allowed-USB printer group and allowed-file printer group.

    1. Group 1: Any printer group.

    This is the screenshot of removable of storage.

    1. Group 2: Allowed-USB printer group.

      This is the screenshot of approved USBs.

    2. Group 2: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended.

      This is group 3policy.

      Combine these two groups into one XML file. See step 3 from the Deploy using group policy section to deploy this configuration.

      Tip

      Replace & with &amp; in the value.

  2. Create policy.

    1. Create Allow and Audit policy for allowed-file printer group.

    This is block write access screenshot.

    1. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected.

      This is the default audit write access screenshot.

    2. Create Default Deny custom policy for any other printers.

      This is create default screenshot.

    Combine these two policy rules into one XML file. See step 4 from the Deploy using group policy section to deploy this configuration.