Printer Protection Overview
Applies to:
Note
The Group Policy management and Intune OMA-URI/Custom Policy management of this product have been released. If you're currently using Microsoft Defender for Endpoint Device Control Printer Protection, we recommend that you upgrade.
Overview
Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.
Privilege | Permission |
---|---|
Access | Read, Write, Execute |
Action Mode | Audit, Allow, Prevent |
CSP Support | Yes |
GPO Support | Yes |
User-based Support | Yes |
Machine-based Support | Yes |
Prerequisites for preview
Ensure that the Windows devices that you need to onboard should meet the following requirements:
- Install the right OS KB:
- Windows Server 2022 - KB5020032
- MOCAMP:4.18.2205 or later, you can run the command
Get-MpComputerStatus
in PowerShell to check the version.
Device control printer protection properties
The printer protection comprises group and policy configurations:
- Group configuration allows you to create group. For example, authorized USB printer group or network location group.
- Policy configuration allows you to create policy to restrict each printer group. For example, only allow authorized users to Print access authorized printer group.
Group configuration
Group configuration includes the following types:
- Device
- Network
- VPNConnection
- PrintJob
The table below lists the properties you can use in Group:
Property Name | Description | Options |
---|---|---|
Group ID | GUID, a unique ID, represents the group and will be used in the policy. | You can generate the group ID through PowerShell |
Name | String, the name of the policy and will display on the toast based on the policy setting. | |
Type | The type of the group. |
Note: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File". |
DescriptorIdList | List the device properties you want to use to cover in the group. All properties are case sensitive. | When the Group type is Device, you can use the following attributes inside DescriptorIdList:
When the Group type is Network, you can use the following attributes inside DescriptorIdList:
When the Group type is VPNConnection, you can use the following attributes inside DescriptorIdList:
When the Group type is PrintJob, you can use the following attributes inside DescriptorIdList:
|
MatchType | When there are multiple device properties being used in the DescriptorIDList , MatchType defines the relationship. |
|
Access policy rule
Every access policy rule called PolicyRule can be used to define access restriction for each Device type group through multiple Entry.
The table below lists the properties you can use in PolicyRule:
Property Name | Description | Options |
---|---|---|
PolicyRule ID | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the group ID through PowerShell |
Name | String, the name of the policy and will display on the toast based on the policy setting and will be captured in the reporting. | |
IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. | The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1} Note: You shouldn't add multiple groups inside IncludedIdList. Instead, add all groups into a new group and then add the new group inside IncludedIdList. |
ExcludedIDList | The group(s) that the policy won't be applied to. | The Group ID/GUID must be used at this instance. |
Entry | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. | See Entry properties table below for more details. |
The table below lists the properties you can use in Entry:
Property Name | Description | Options |
---|---|---|
PolicyRule ID | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the group ID through PowerShell |
Type | Defines the action for the removable storage groups in IncludedIDList.
|
When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is Allow and Deny. |
Sid | Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine. | |
ComputerSid | Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |
Options | Defines whether to display notification or not | When Type Allow is selected:
When Type Deny is selected:
When Type AuditAllowed is selected:
When Type AuditDenied is selected: |
AccessMask | Defines the access. | |
Parameters | Condition for this Entry, for example, network condition. | Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details. |
The table below lists the properties you can use in Parameters:
Property Name | Description | Options |
---|---|---|
MatchType | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. | MatchAll:
MatchAny:
MatchExcludeAll:
MatchExcludeAny:
|
PrintJob Network VPNConnection | The PrintJob or Network or VPNConnection group(s) created above. | Use the GroupId of the PrintJob or Network or VPNConnection group(s) created above. |
Parameters | You can embed Parameters inside Parameters with MatchType. |
Enduser experience
You can view the policy name and printer information if you have right options setting in your policy.
Feedback
Submit and view feedback for