Blog Post

Microsoft Defender for Endpoint Blog
7 MIN READ

Protect your removable storage and printers with Microsoft Defender for Endpoint

Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Jul 19, 2021
UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.   External devices such as USB and home printers ...
Updated Aug 26, 2021
Version 5.0
Device control
endpoint dlp
Tewang_Chen's avatar
Icon for Microsoft rankMicrosoft
Joined August 08, 2019
View Profile
Microsoft Defender for Endpoint Blog

Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

learnandexp's avatar
learnandexp
Copper Contributor
Oct 03, 2023

Hi,

I have read all the responses in this forum and all the documentation I could find about the device control printer protection.

I'm aware of some specificities like having to group the policy rules and groups in each respective XML file when using the GPO option.

 

We have the same issue that many people report which is the Microsoft Print to PDF being blocked. I took over an existing config and will be setting up from scratch based on information I've read so far. 

 

However, I have a few questions that if answered here, I believe may help everyone:

  1. Does Microsoft Print to PDF actually work when you use the Default Deny enforcement but then allow USB storage devices and printers? We also use the options to print if there is a corporate or VPN connection.
  2. I would assume most companies would use Default Deny but the samples provided for GPO don't seem to cover this scenario. Can't we have specific samples for this?
  3. If we are combining both the groups and policies of USB storage and printers can we have sample files with both configs in one file instead of separate ones?
  4. Is there any order when combining the printer and USB storage parts on these sample files?, i.e, should Microsoft Print to PDF policy and groups be on top?
  5. I saw some printer examples with access mask 64. I was under the impression the max was 63, examples here:

https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies%20-%20no%20Default%20Deny%20policy.xml

https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml

https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20PDF_XPS%20Printer%20-%20File%20Evidence.xml

https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20PDF_XPS%20Printer.xml

 

NOTE: I did not check all files for the masks, just some of the most recent printer examples.

 

Thanks in advance,

 

H