Device Control policies are a wide-ranging set of controls that provide granular access to peripheral devices, such as removable storage and Bluetooth accessories. In this post, we will be exploring the use of Device Control to restrict printing in highly secure environments.
Requirements
Before we proceed, ensure that you have deployed Microsoft Defender for Endpoint in your environment, and that you are managing your devices with Intune. The Device Control policies that we will be enabling will be configured through the Endpoint Security –> Attack Surface Reduction tab in the Intune Admin Center. Previously, you had to configure these policies by hand using OMA-URI custom configuration. The process is much easier now with the dedicated Device Control policy in the user interface, including the great new Reusable Settings feature, which streamlines the management of device control groups across multiple policies.
Print Control Use Case
The topic of print control came up for a client that needed to restrict devices with access to sensitive customer data from printing to external printers as a means to prevent data exfiltration. Print Control allows you to define controls by printer category, such as USB, Network, Corporate, and Universal Print. Print Control can also be used to block Print to PDF, as well as Print to XPS Document Writer and Print to OneNote — all of which allow users to export sensitive data locally to their device. In this scenario, we are using Universal Print to provision and manage access to printers on our corporate network. The objective is to block all other forms of printing, such as preventing a user from connecting a home printer to their laptop, as well as preventing local data exfiltration from the “Print to …” options.
Intune Configuration
- Navigate to the Microsoft Intune Admin Center and select Endpoint Security from the blade menu.
- In the Endpoint Security blade, select Attack Surface Reduction under the Manage heading.
- On the Attack Surface Reduction policies page, you’ll notice two tabs at the top of the page, Summary and Reusable Settings. The Summary page holds our actual policies, but we’ll start by selecting Reusable Settings to configure the printer groups that we want to target first. We’ll be taking a whitelist approach, by blocking all printing and then excluding the reusable groups we want to allow.
- The first group will be our catch-all group for all types of printing. Click +Add to create a new reusable group. Fill in the Basics page and proceed to Configuration Settings.
Under Device Control, click +Add –> Printer device and then + Edit Instance - The Configure Printer Instance blade contains several fields you can use to specify printer type. Enter a descriptive name, and select Printer Devices from the PrimaryID field, and leave all other fields with their default settings. This group will effectively contain all printers.
- You’ll notice that you can create multiple entries for one reusable group. This allows you to define multiple conditions and match based on any or all conditions, using the toggle button at the bottom. We’ll stick with this single condition and save the group.
- Our second group will contain all Universal Print devices. Create another reusable group. In the Configure Printer instance blade, this time we want to leave PrimaryID as Not Configured and set PrinterConnectionId to Universal. You’ll notice a number of other printer categories to choose from. You can create separate groups for each type of printer in this way. Save and return to the Summary tab of the Attack Surface Reduction page.
Our second group will contain all Universal Print devices. Create another reusable group. In the Configure Printer instance blade, this time we want to leave PrimaryID as Not Configured and set PrinterConnectionId to Universal. You’ll notice a number of other printer categories to choose from. You can create separate groups for each type of printer in this way. Save and return to the Summary tab of the Attack Surface Reduction page. - Click + Create Policy and select Windows 10, Windows 11, and Windows Server as the Platform. Select Device Control as the profile. Fill in the Basics page then scroll down to the Device Control section at the bottom of the Configuration Settings page.
- Under IncludedID, select your reusable group containing all printers. Under ExcludedID, select your reusable group containing Universal Print devices. Under Entry, configure the entry as follows:
| Type | Options | Access mask |
| Deny | None | |
| Audit Denied | Send notification and event |
Once you have saved your device control policy and applied it to a test device, try it out by attempting to print to a Universal Print printer (or whichever category you chose), and then try a blocked category, such as Print to PDF. You should receive a system notification with the Device Control policy name, indicating that the action is restricted. This is the purpose of the Audit Denied entry above. You’ll notice the option to Send Notification and event which also means that you will generate a Defender for Endpoint event each time the policy is triggered. You can audit these events directly from the Security Admin portal by using the Device Control Report, or via KQL query.
Bonus: Removing Printer Drivers
During testing, we noticed that the OneNote (Desktop) printer would still print to OneNote, despite triggering the Device Control policy. The OneNote for Windows 10 option is successfully blocked, however. The proactive remediation script below can be used to detect and remove the OneNote (Desktop) printer drivers specifically. You can schedule this script to run regularly on your devices to ensure they cannot print to OneNote and bypass the Device Control policies. Although it’s not a perfect solution as the drivers can return automatically, hence the need regularly check for drivers — or delete the app altogether!
Download the scripts below from my GitHub repository here:
https://github.com/ayre001/Powershell-Scripts/tree/main/ProactiveRemediations/RemovePrinterDrivers
Detection Script:
# Detection Script
# Define the printer and driver names to look for
$printerName = "OneNote (Desktop)"
$driverName = "Send to Microsoft OneNote 16 Driver"
# Check if the printer exists
$printer = Get-Printer -Name $printerName -ErrorAction SilentlyContinue
# Check if the printer driver exists
$driver = Get-PrinterDriver -Name $driverName -ErrorAction SilentlyContinue
# If either the printer or driver exists, output a message and exit with code 1 (indicating the issue exists)
if ($printer -or $driver) {
Write-Host "Either printer or driver detected"
exit 1
} else {
# If neither the printer nor driver exists, exit with code 0 (indicating no issue)
Write-Host "Neither printer nor driver detected"
exit 0
}Remediation Script:
# Remediation Script
# Define the printer and driver names to remove
$printerName = "OneNote (Desktop)"
$driverName = "Send to Microsoft OneNote 16 Driver"
try {
# Check if the printer exists and remove it
$printer = Get-Printer -Name $printerName -ErrorAction SilentlyContinue
if ($printer) {
Remove-Printer -Name $printerName -ErrorAction Stop
Write-Host "Printer removed: $printerName"
} else {
Write-Host "Printer not found: $printerName"
}
# Check if the printer driver exists and remove it
$driver = Get-PrinterDriver -Name $driverName -ErrorAction SilentlyContinue
if ($driver) {
Remove-PrinterDriver -Name $driverName -ErrorAction Stop
Write-Host "Printer driver removed: $driverName"
} else {
Write-Host "Printer driver not found: $driverName"
}
# Exit with code 0 (indicating success)
exit 0
} catch {
# If an error occurs, output the error message and exit with code 1 (indicating failure)
$errMsg = $_.Exception.Message
Write-Host "Error occurred: $errMsg"
exit 1
}If you want to remove other printers or printer drivers programmatically, use the Get-Printer and Get-PrinterDriver commands in Powershell to identify the print drivers you want to target. Update the $printerName and $driverName variables in the scripts above.
IdentityPoint 