我花了几天时间试图查找有关为什么 Intune 中的自定义 OMA-URI USB 策略也阻止我的网络中的打印机的信息。阻止 USB 打印机非常符合逻辑,但阻止网络共享打印机对我来说不符合逻辑,这就是问题所在。
当此策略应用于设备时,网络打印机显示“已断开”,并且在没有该策略的情况下通过 USB 共享打印机的设备工作正常。
我应用了这个:
可移动媒体 XML 组 OMA-URI ./供应商/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b56779d19-346e-4219-81a0-8b6a0a35a348%7d/GroupData
<Group Id="{56779d19-346e-4219-81a0-8b6a0a35a348}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b56779d19-346e-4219-81a0-8b6a0a35a348%7d/GroupData -->
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
</DescriptorIdList>
</Group>
USB 批准组 XML(其工作正常,允许某些 USB)XML OMA-URI ./供应商/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7bf1d51d30-cf1e-453d-a275-152a770b1f83%7d/GroupData
<Group Id="{f1d51d30-cf1e-453d-a275-152a770b1f83}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7bf1d51d30-cf1e-453d-a275-152a770b1f83%7d/GroupData -->
<Matchtype>Matchany</Matchtype>
<DescriptorIdlist>
<InstancePathId>USBSTOR\DISK&VEN_TTULTRA&PROD_SENSITECH_INC.&REV_\7&8D3D3A7&0&00000000001A&0</InstancePathId>
<InstancePathId>USBSTOR\DISK&VEN_ATMEL&PROD_ON-CHIP_VIRTUAL&REV_1.00\7&D039C83&0&123123123123&0</InstancePathId>
<InstancePathId>USBSTOR\DISK&VEN_GENERIC&PROD_USB_FLASH_DISK&REV_0.00\__0XFFFFFFFFFFFFFFFF&0</InstancePathId>
</DescriptorIdlist>
</Group>
** Intune 允许策略 XML** OMA-URI ./供应商/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7baa5767cd-852d-45c4-8409-7adc0147dd45%7d/RuleData
<PolicyRule Id="{aa5767cd-852d-45c4-8409-7adc0147dd45}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7baa5767cd-852d-45c4-8409-7adc0147dd45%7d/RuleData -->
<Name>Allow Write and Execute to Removable Storage</Name>
<IncludedIdList>
<GroupId>{f1d51d30-cf1e-453d-a275-152a770b1f83}</GroupId>
</IncludedIdList>
<ExcludedIdList>
</ExcludedIdList>
<Entry Id="{1f910990-dd5d-4a99-a75b-3b460b16ce57}">
<Type>Allow</Type>
<Options>16</Options>
<AccessMask>63</AccessMask>
</Entry>
</PolicyRule>
限制策略 XML OMA-URI ./供应商/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b6edabff0-b59f-40db-b1fd-d94807c0bb87%7d/RuleData
<PolicyRule Id="{6edabff0-b59f-40db-b1fd-d94807c0bb87}">
<!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b6edabff0-b59f-40db-b1fd-d94807c0bb87%7d/RuleData -->
<Name>Block Write and Execute to Removable Storage</Name>
<IncludedIdList>
<GroupId>{56779d19-346e-4219-81a0-8b6a0a35a348}</GroupId>
</IncludedIdList>
<ExcludedIdList>
<GroupId>{f1d51d30-cf1e-453d-a275-152a770b1f83}</GroupId>
</ExcludedIdList>
<Entry Id="{bab49e44-9fc9-44d0-8937-8f7c8c17a290}">
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>3</AccessMask>
</Entry>
</PolicyRule>
该策略工作正常,阻止所有 USB 设备,并允许我之前放入“USB 批准组 XML”中的 USB 设备。
我不知道我是否忘记了一行或配置。
提前非常感谢你们。
该策略必须阻止任何 USB 设备,并允许在共享打印机上通过网络进行打印。
Intune 中的自定义 OMA-URI USB 策略阻止网络中的打印机的原因是该策略阻止了所有 USB 设备。无法使用 Intune 策略区分 USB 存储设备和 USB 打印机。
但是,您可以尝试修改自定义 OMA-URI USB 策略以允许 USB 打印机作为例外。您可以在 USB 批准组 XML 中添加 USB 打印机的供应商 ID 和产品 ID。即使应用了该策略,这也将允许 USB 打印机正常工作。