Skip to content

Latest commit

 

History

History
543 lines (412 loc) · 17 KB

Printer_Policies.md

File metadata and controls

543 lines (412 loc) · 17 KB

Device control policy sample: Printer Policies

Description: An example showing how device control can restrict access to printers based on device properties, network, and VPN connection.
Device Type: Windows Printer

A device control policy is a combination of policy rules, groups and settings.
This sample is based on the sample files.
To configure the sample, follow the deployment instructions.

Policy Rules

Name Devices Rule Type Access Notification Conditions
Included Excluded Print
Allow PDF and XPS Printing
    		Allow None (0) -
    Audit Allowed 📄 Send event (2) -
    Allow approved USB Printer
      		Allow None (0)
      View MatchAny:
      • Windows Network: MatchAny
      • Windows VPN Connection: MatchAny
      Audit Allowed 📄 Send event (2) -
      Default Deny
          		Audit Denied 📄 Show notification and Send event (3) -

          Groups

          PDF_XPS Printer

          This is a group of type Device. The match type for the group is MatchAny.

          Property Value
          PrinterConnectionId File
          View XML 
          <Group Id="{e5170dfb-19a9-4466-8109-d36c9c912b4e}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5170dfb-19a9-4466-8109-d36c9c912b4e%7D/GroupData -->
	<Name>PDF_XPS Printer</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<PrinterConnectionId>File</PrinterConnectionId>
	</DescriptorIdList>
</Group>

          Authorized USB Printer

          This is a group of type Device. The match type for the group is MatchAny.

          Property Value
          VID_PID 03F0_
          VID_PID 035E_0872
          View XML 
          <Group Id="{05b56e90-e682-48ff-a6c0-5602c9638182}" Type="Device">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B05b56e90-e682-48ff-a6c0-5602c9638182%7D/GroupData -->
	<Name>Authorized USB Printer</Name>
	<MatchType>MatchAny</MatchType>
	<DescriptorIdList>
		<VID_PID>03F0_</VID_PID>
		<VID_PID>035E_0872</VID_PID>
	</DescriptorIdList>
</Group>

          Corporate Network

          This is a group of type Network. The match type for the group is MatchAll.

          Property Value
          NameId corp.microsoft.com
          NetworkCategoryId DomainAuthenticated
          View XML 
          <Group Id="{83d4b74a-af7c-4399-812c-fb9037e2c2b7}" Type="Network">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B83d4b74a-af7c-4399-812c-fb9037e2c2b7%7D/GroupData -->
	<Name>Corporate Network</Name>
	<MatchType>MatchAll</MatchType>
	<DescriptorIdList>
		<NameId>corp.microsoft.com</NameId>
		<NetworkCategoryId>DomainAuthenticated</NetworkCategoryId>
	</DescriptorIdList>
</Group>

          Corporate VPN

          This is a group of type VPNConnection. The match type for the group is MatchAll.

          Property Value
          NameId MSFTVPN
          VPNServerAddressId msftvpn.*.microsoft.com
          VPNDnsSuffixId corp.microsoft.com
          VPNConnectionStatusId Connected
          View XML 
          <Group Id="{d633d17d-d1d1-4c73-aa27-c545c343b6d7}" Type="VPNConnection">
	<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd633d17d-d1d1-4c73-aa27-c545c343b6d7%7D/GroupData -->
	<Name>Corporate VPN</Name>
	<MatchType>MatchAll</MatchType>
	<DescriptorIdList>
		<NameId>MSFTVPN</NameId>
		<VPNServerAddressId>msftvpn.*.microsoft.com</VPNServerAddressId>
		<VPNDnsSuffixId>corp.microsoft.com</VPNDnsSuffixId>
		<VPNConnectionStatusId>Connected</VPNConnectionStatusId>
	</DescriptorIdList>
</Group>

          Settings

          Setting Name Setting Value Description Documentation
          DefaultEnforcement Deny Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched. documentation
          DeviceControlEnabled True Enables/disables device control documentation

          Files

          This policy is based on information in the following files:

          Deployment Instructions

          Device control policy rules and groups can be deployed through the following management tools:

          Windows

          Intune UX

          Intune UX is not supported for this policy because:

          • Windows VPN Connection groups not supported.
          • Windows Network groups not supported.
          • Parameters are not supported

          Use Intune custom settings to deploy the policy instead.

          Group Policy (GPO)

          Define device control policy groups
          1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups.
          2. Save the XML below to a network share.
          <Groups>
	<Group Id="{e5170dfb-19a9-4466-8109-d36c9c912b4e}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5170dfb-19a9-4466-8109-d36c9c912b4e%7D/GroupData -->
		<Name>PDF_XPS Printer</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<PrinterConnectionId>File</PrinterConnectionId>
		</DescriptorIdList>
	</Group>
	<Group Id="{05b56e90-e682-48ff-a6c0-5602c9638182}" Type="Device">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B05b56e90-e682-48ff-a6c0-5602c9638182%7D/GroupData -->
		<Name>Authorized USB Printer</Name>
		<MatchType>MatchAny</MatchType>
		<DescriptorIdList>
			<VID_PID>03F0_</VID_PID>
			<VID_PID>035E_0872</VID_PID>
		</DescriptorIdList>
	</Group>
	<Group Id="{83d4b74a-af7c-4399-812c-fb9037e2c2b7}" Type="Network">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B83d4b74a-af7c-4399-812c-fb9037e2c2b7%7D/GroupData -->
		<Name>Corporate Network</Name>
		<MatchType>MatchAll</MatchType>
		<DescriptorIdList>
			<NameId>corp.microsoft.com</NameId>
			<NetworkCategoryId>DomainAuthenticated</NetworkCategoryId>
		</DescriptorIdList>
	</Group>
	<Group Id="{d633d17d-d1d1-4c73-aa27-c545c343b6d7}" Type="VPNConnection">
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd633d17d-d1d1-4c73-aa27-c545c343b6d7%7D/GroupData -->
		<Name>Corporate VPN</Name>
		<MatchType>MatchAll</MatchType>
		<DescriptorIdList>
			<NameId>MSFTVPN</NameId>
			<VPNServerAddressId>msftvpn.*.microsoft.com</VPNServerAddressId>
			<VPNDnsSuffixId>corp.microsoft.com</VPNDnsSuffixId>
			<VPNConnectionStatusId>Connected</VPNConnectionStatusId>
		</DescriptorIdList>
	</Group>
</Groups>
          1. In the Define device control policy groups window, select Enabled and specify the network share file path containing the XML groups data.
          Define device control policy rules
          1. Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules.
          2. Save the XML below to a network share.
          <PolicyRules>
	<PolicyRule Id="{f5877f47-78ab-4f33-94e4-c44f18ec6dca}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bf5877f47-78ab-4f33-94e4-c44f18ec6dca%7D/RuleData -->
		<Name>Allow PDF and XPS Printing</Name>
		<IncludedIdList>
			<GroupId>{e5170dfb-19a9-4466-8109-d36c9c912b4e}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{12bd5f8e-94e8-4205-a990-635c24e43c59}">
			<Type>Allow</Type>
			<AccessMask>64</AccessMask>
			<Options>0</Options>
		</Entry>
		<Entry Id="{0fef09f8-7a68-4827-841b-d48afef6ba4c}">
			<Type>AuditAllowed</Type>
			<AccessMask>64</AccessMask>
			<Options>2</Options>
		</Entry>
	</PolicyRule>
	<PolicyRule Id="{f7e75634-7eec-4e67-bec5-5e7750cb9e02}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7D/RuleData -->
		<Name>Allow approved USB Printer</Name>
		<IncludedIdList>
			<GroupId>{05b56e90-e682-48ff-a6c0-5602c9638182}</GroupId>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{27c79875-25d2-4765-aec2-cb2d1000613f}">
			<Type>Allow</Type>
			<AccessMask>64</AccessMask>
			<Options>0</Options>
			<Parameters MatchType="MatchAny">
				<Network MatchType="MatchAny">
					<GroupId>{83d4b74a-af7c-4399-812c-fb9037e2c2b7}</GroupId>
				</Network>
				<VPNConnection MatchType="MatchAny">
					<GroupId>{d633d17d-d1d1-4c73-aa27-c545c343b6d7}</GroupId>
				</VPNConnection>
			</Parameters>
		</Entry>
		<Entry Id="{b280c2bf-ca5d-46a1-afc9-7e34d8098ca7}">
			<Type>AuditAllowed</Type>
			<AccessMask>64</AccessMask>
			<Options>2</Options>
		</Entry>
	</PolicyRule>
	<PolicyRule Id="{e6ccf2cb-20d6-4478-bf2d-66f247ced6f3}" >
		<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Be6ccf2cb-20d6-4478-bf2d-66f247ced6f3%7D/RuleData -->
		<Name>Default Deny</Name>
		<IncludedIdList>
		</IncludedIdList>
		<ExcludedIdList>
		</ExcludedIdList>
		<Entry Id="{6b9cf286-ec70-4463-bfaf-29f32bb5f0dc}">
			<Type>AuditDenied</Type>
			<AccessMask>64</AccessMask>
			<Options>3</Options>
		</Entry>
	</PolicyRule>
</PolicyRules>
          1. In the Define device control policy rules window, select Enabled, and enter the network share file path containing the XML rules data.

          Intune Custom Settings

          Create custom intune configuration
          1. Navigate to Devices > Configuration profiles
          2. Click Create (New Policy)
          3. Select Platform "Windows 10 and Later"
          4. Select Profile "Templates"
          5. Select Template Name "Custom"
          6. Click "Create"
          7. Under Name, enter **
          8. Optionally, enter a description
          9. Click "Next"
          Add a row for Allow PDF and XPS Printing

          1. Click "Add"

          2. For Name, enter Allow PDF and XPS Printing

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bf5877f47-78ab-4f33-94e4-c44f18ec6dca%7D/RuleData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/allow_pdf_and_xps_printing{f5877f47-78ab-4f33-94e4-c44f18ec6dca}.xml

          7. Click "Save"

          Add a row for Allow approved USB Printer

          1. Click "Add"

          2. For Name, enter Allow approved USB Printer

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7D/RuleData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/allow_approved_usb_printer{f7e75634-7eec-4e67-bec5-5e7750cb9e02}.xml

          7. Click "Save"

          Add a row for Default Deny

          1. Click "Add"

          2. For Name, enter Default Deny

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7Be6ccf2cb-20d6-4478-bf2d-66f247ced6f3%7D/RuleData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/default_deny{e6ccf2cb-20d6-4478-bf2d-66f247ced6f3}.xml

          7. Click "Save"

          Add a row for PDF_XPS Printer

          1. Click "Add"

          2. For Name, enter PDF_XPS Printer

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Be5170dfb-19a9-4466-8109-d36c9c912b4e%7D/GroupData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/PDF_XPS Printer.xml

          7. Click "Save"

          Add a row for Authorized USB Printer

          1. Click "Add"

          2. For Name, enter Authorized USB Printer

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B05b56e90-e682-48ff-a6c0-5602c9638182%7D/GroupData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/Authorized USB Printer.xml

          7. Click "Save"

          Add a row for Corporate Network

          1. Click "Add"

          2. For Name, enter Corporate Network

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7B83d4b74a-af7c-4399-812c-fb9037e2c2b7%7D/GroupData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/Corporate Network.xml

          7. Click "Save"

          Add a row for Corporate VPN

          1. Click "Add"

          2. For Name, enter Corporate VPN

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7Bd633d17d-d1d1-4c73-aa27-c545c343b6d7%7D/GroupData

          5. For Data type, select String (XML File)

          6. For Custom XML, select windows/printer/Intune OMA-URI/Corporate VPN.xml

          7. Click "Save"

          Add a row for DefaultEnforcement

          1. Click "Add"

          2. For Name, enter DefaultEnforcement

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement

          5. For Data type, select Integer

          6. For Value, enter 2

          7. Click "Save"

          Add a row for DeviceControlEnabled

          1. Click "Add"

          2. For Name, enter DeviceControlEnabled

          3. For Description, enter **

          4. For OMA-URI, enter ./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled

          5. For Data type, select Integer

          6. For Value, enter 1

          7. Click "Save"