We had similar sounding problem couple months ago when we used MS250 for L3 and wanted to deny one VLAN from accessing anything else than just one server. We had to do "deny any" rule for that VLAN. That blocked DHCP request for that VLAN. And weird thing was that all the laptops could get DHCP address from that VLAN but most of the handheld devices could not (can't remember what model that was).
I needed to allow UDP 67 and 68 ports for that VLAN to get DHCP request going for all the devices. Can't still quite understand why some worked and some did not... Of course if we removed that deny any rule everything worked also just fine. We had DHCP relay for that VLAN but i also tested that with MS250 DHCP with similar results.
In a scenario like that be sure to always allow DHCP traffic towards the DHCP server as client asking for DHCP informs or simply renewing their lease will send using unicast directly to the DHCP server.
Of course if this fails they will ultimately retry using broadcast DHCP discover but that's at the very end of the lease and not recommended to let it come that far.