Blog Post

Microsoft Defender for Endpoint Blog
7 MIN READ

Protect your removable storage and printers with Microsoft Defender for Endpoint

Tewang_Chen's avatar
Tewang_Chen
Icon for Microsoft rankMicrosoft
Jul 19, 2021
UPDATE: The Printer protection is now General Availability. We have backported the feature, so now it supports Windows 1809, 1909, 2004 or later.   External devices such as USB and home printers ...
Updated Aug 26, 2021
Version 5.0
Device control
endpoint dlp
Tewang_Chen's avatar
Icon for Microsoft rankMicrosoft
Joined August 08, 2019
View Profile
Microsoft Defender for Endpoint Blog

Microsoft Defender for Endpoint disrupts ransomware with industry-leading endpoint security, providing comprehensive protection across all platforms and devices.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

Ayodave's avatar
Ayodave
Copper Contributor
Oct 03, 2023

Hi learnandexp I am currently facing the same issue, when it comes to applying this policy via GPO, there are not lot of samples that support removable storage control and printer protection. Also the access mask in the MS sample is wrong. it's 63 and not 64. I am currently using the default deny policy, it works fine, USB devices are blocked and the allowed group i excluded from the block. However Test devices are unable to print. I just need an example that excludes all forms of printing whether via USB printer, corporate, on a network or from a VPN connection. I thought i did the right thing with my policies, but my test devices are still unable to print on the shared network printer. The print job does not get to the printer. 

Tewang_Chen Are you able to assist to review this please?

This is my policy group

<Groups>
<Group Id="{65fa649a-a111-4912-9294-fb6337a25038}">
<!-- Approved USBs Group-->
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<InstancePathId>USBSTOR\Disk&amp;Ven_Barco&amp;Prod_ClickShare&amp;Rev_0328\7&amp;8ac60a&amp;0&amp;02.00.00.01.12.00.0000_0000&amp;*</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_03\6&amp;2a05842d&amp;0&amp;0003</InstancePathId>
<InstancePathId>USB\VID_0600</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_0070</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_00CE</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_00CE&amp;MI_00</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_04</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_00</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_03</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_01</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;MI_02</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;REV_0210&amp;MI_04</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_009F&amp;REV_0210&amp;MI_00</InstancePathId>
<InstancePathId>USB\VID_0600&amp;PID_00CE&amp;REV_0102&amp;MI_00</InstancePathId>
</DescriptorIdList>
</Group>

<Group Id="{43fd9869-660d-49a6-ae28-34b278ed119e}" Type="Device">
<Name>Any Printer</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>PrinterDevices</PrimaryId>
<PrinterConnectionId>USB</PrinterConnectionId>
<PrinterConnectionId>Corporate</PrinterConnectionId>
<PrinterConnectionId>Network</PrinterConnectionId>
<PrinterConnectionId>Universal</PrinterConnectionId>
<PrinterConnectionId>File</PrinterConnectionId>
<PrinterConnectionId>Custom</PrinterConnectionId>
<PrinterConnectionId>Local</PrinterConnectionId>
</DescriptorIdList>
</Group>
</Groups>

 

below is my policy rule

<PolicyRules>
 
        <PolicyRule Id="{c544a991-5786-4402-949e-a032cb790d0e}">
            <Name>RW allow Approved USB</Name>
            <IncludedIdList>
                <GroupId>{65fa649a-a111-4912-9294-fb6337a25038}</GroupId>
            </IncludedIdList>
             <ExcludedIdList>
            </ExcludedIdList>
            <Entry Id="{f8ddbbc5-8855-4776-a9f4-ee58c3a21414}">
               <Type>Allow</Type>
               <Options>0</Options>
               <AccessMask>63</AccessMask>
            </Entry>
            <Entry Id="{07e22eac-8b01-4778-a567-a8fa6ce18a0c}">
               <Type>AuditAllowed</Type>
               <Options>2</Options>
               <AccessMask>63</AccessMask>
            </Entry>
        </PolicyRule>
 
        <PolicyRule Id="{1284f8fa-4116-4a5b-acad-8be52e1de3be}">
   <!-- Default Printer Allow -->
           <Name>Default Printer Allow</Name>
           <IncludedIdList>
                <GroupId>{43fd9869-660d-49a6-ae28-34b278ed119e}</GroupId>
            </IncludedIdList>
           <ExcludedIdList>
        </ExcludedIdList>
           <Entry Id="{Need to define}">
               <Type>Allow</Type>
               <Options>0</Options>
               <AccessMask>63</AccessMask>
            </Entry>
            <Entry Id="{Need to define}">
               <Type>AuditAllowed</Type>
               <Options>2</Options>
               <AccessMask>63</AccessMask>
            </Entry>
        </PolicyRule>
 
<PolicyRule Id="{f0c42db6-3975-4b79-b53d-17a9a541ca71}">
            <Name>Audit Read and Write all files</Name>
            <IncludedIdList>
            </IncludedIdList>
            <ExcludedIdList>
            </ExcludedIdList>
            <Entry Id="{5285adc4-2361-4aba-baa0-c723e3eecd42}">
                <Type>AuditDenied</Type>
                <Options>2</Options>
                <AccessMask>127</AccessMask>
            </Entry>
       </PolicyRule>
   
</PolicyRules>