Device Control Printer Protection
Applies to
Note
If you want to manage printers, see Microsoft Defender for Endpoint Device Control Printer Protection.
Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer.
Licensing
Before you get started with Printer Protection, you should confirm your Microsoft 365 subscription. To access and use Printer Protection, you must have the following:
- Microsoft 365 E3 for functionality/policy deployment
- Microsoft 365 E5 for reporting
Permission
For Policy deployment in Intune, to deploy policy via OMA-URI, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions:
- Policy and profile Manager role.
- Or custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles
- Or Global admin
To see device configuration reports, the account must have view reports permissions. You can create custom roles or use the built-in roles with these permissions:
- Global security admin
- Security admin
- Security Reader
Prepare your endpoints
Make sure that the Windows 10 or Windows 11 devices that you plan on deploying Printer Protection to meet these requirements.
The following Windows Updates are installed.
If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined; if you're planning to deploy policy via Microsoft Intune, the device must be joined by using Microsoft Intune.
Deploy Device Control Printer Protection policy
You can deploy the policy via Group Policy or Intune.
Title | Description | CSP Support | GPO Support | User-based Support | Machine-based Support |
---|---|---|---|---|---|
Enable Device control Printing Restrictions | Block people from printing via non-corporate printer | Yes | Yes | Yes | Yes |
List of Approved USB-connected print devices* | Allow specific USB printer | Yes | Yes | Yes | Yes |
* This policy must be used together with Enable Device control Printing Restrictions.
Deploy policy via Intune
For Intune, currently Device Control Printer Protection supports OMA-URI only.
Scenario 1: Block people from printing via any non-corporate printer using Intune
Apply policy over machine:
./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
Apply policy over user:
./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser
The CSP support string with <enabled/>
:
Scenario 2: Allow specific approved USB printers using Intune
Apply policy over machine:
./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
Apply policy over user:
./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser
The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property. Example: <enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>
:
Deploy policy via Group Policy
If the device isn't Intune joined, you can also deploy the policy via Group Policy.
Scenario 1: Block people from printing via any non-corporate printer using Group Policy
Apply policy over machine:
Computer Configuration > Administrative Templates > Printer: Enable Device control Printing Restrictions
Apply policy over user:
User Configuration > Administrative Templates > Control Panel > Printers: Enable Device control Printing Restrictions
Scenario 2: Allow specific approved USB printers using Group Policy
Apply policy over machine:
Computer Configuration > Administrative Templates > Printer: List of Approved USB-connected print devices
Apply policy over user:
User Configuration > Administrative Templates > Control Panel > Printers: List of Approved USB-connected print devices
View Device Control Printer Protection data in Microsoft Defender for Endpoint portal
The Microsoft Defender portal shows printing blocked by the Device Control Printer Protection policy above.
DeviceEvents
| where ActionType == 'PrintJobBlocked'
| extend parsed=parse_json(AdditionalFields)
| extend PrintedFile=tostring(parsed.JobOrDocumentName)
| extend PrintPortName=tostring(parsed.PortName)
| extend PrinterName=tostring(parsed.PrinterName)
| extend Policy=tostring(parsed.RestrictionReason)
| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName, Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields
| order by Timestamp desc
You can use the PnP event to find the USB printer used in the organization:
//find the USB Printer VID/PID
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend DeviceDescription = tostring(parsed.DeviceDescription)
| extend PrinterDeviceId = tostring(parsed.DeviceId)
| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
| extend VID_PID = replace_string(VID_PID, 'PID_', '')
| extend ClassId = tostring(parsed.ClassId)
| extend VendorIds = tostring(parsed.VendorIds)
| where DeviceDescription == 'USB Printing Support'
| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
| order by Timestamp desc
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Submit and view feedback for