Description: This is a policy.
Device Type: Windows Printer
A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.
| Name | Devices | Rule Type | Access | Notification | Conditions | |
|---|---|---|---|---|---|---|
| Included | Excluded | |||||
| Default Deny |
|
|
Audit Denied | 📄 | Show notification and Send event (3) | - |
| Setting Name | Setting Value | Description | Documentation |
|---|---|---|---|
| DefaultEnforcement | Deny | Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. | documentation |
| DeviceControlEnabled | True | Enables/disables device control | documentation |
This policy is based on information in the following files:
Device control policy rules and groups can be deployed through the following management tools:
Create a Device Control Rules configuration profile
- Navigate to Home > Endpoint Security > Attack Surface Reduction
- Click on "Create Policy"
- Under Platform, select "Windows 10 and later"
- Under Profile, select "Device Control Rules"
- Click "Create"
- Under Name, enter **
- Optionally, enter a description
- Click "Next"
Add a rule for Default Deny to the policy
-
Click on "+ Edit Entry"
-
Enter Default Deny for the name
-
Select Audit Denied from "Type"
-
Select Show notification and Send event from "Options"
-
Select Print from "Access mask"
-
Click "OK"
Define device control policy groups
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
- Save the XML below to a network share.
<Groups>
</Groups>- In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
Define device control policy rules
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
- Save the XML below to a network share.
<PolicyRules>
<PolicyRule Id="{e6ccf2cb-20d6-4478-bf2d-66f247ced6f3}" >
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Be6ccf2cb-20d6-4478-bf2d-66f247ced6f3%7D/RuleData -->
<Name>Default Deny</Name>
<IncludedIdList>
</IncludedIdList>
<ExcludedIdList>
</ExcludedIdList>
<Entry Id="{6b9cf286-ec70-4463-bfaf-29f32bb5f0dc}">
<Type>AuditDenied</Type>
<AccessMask>64</AccessMask>
<Options>3</Options>
</Entry>
</PolicyRule>
</PolicyRules>- In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.
Create custom intune configuration
- Navigate to Devices > Configuration profiles
- Click Create (New Policy)
- Select Platform "Windows 10 and Later"
- Select Profile "Templates"
- Select Template Name "Custom"
- Click "Create"
- Under Name, enter **
- Optionally, enter a description
- Click "Next"
Add a row for Default Deny
-
Click "Add"
-
For Name, enter Default Deny
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Be6ccf2cb-20d6-4478-bf2d-66f247ced6f3%7D/RuleData
-
For Data type, select String (XML File)
-
For Custom XML, select windows/printer/Intune OMA-URI/Audit Default Deny.xml
-
Click "Save"
Add a row for DefaultEnforcement
-
Click "Add"
-
For Name, enter DefaultEnforcement
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
-
For Data type, select Integer
-
For Value, enter 2
-
Click "Save"
Add a row for DeviceControlEnabled
-
Click "Add"
-
For Name, enter DeviceControlEnabled
-
For Description, enter **
-
For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled
-
For Data type, select Integer
-
For Value, enter 1
-
Click "Save"