Policy CSP - Printers

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

ApprovedUsbPrintDevices

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices

This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting.

When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing.

Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list.

The format of this setting is <vid>/<pid>[,<vid>/<pid>].

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ApprovedUsbPrintDevices
Friendly Name List of Approved USB-connected print devices
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
ADMX File Name Printing.admx

ApprovedUsbPrintDevicesUser

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser

This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting.

When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing.

Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list.

The format of this setting is <vid>/<pid>[,<vid>/<pid>].

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ApprovedUsbPrintDevicesUser
Friendly Name List of Approved USB-connected print devices
Location User Configuration
Path Control Panel > Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
ADMX File Name Printing.admx

ConfigureCopyFilesPolicy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureCopyFilesPolicy

Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the "Manage processing of Queue-specific files" box.

If you disable or don't configure this policy setting, the default behavior is "Limit Queue-specific files to Color profiles".

  • "Do not allow Queue-specific files" specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation.

  • "Limit Queue-specific files to Color profiles" specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. "Limit Queue-specific files to Color profiles" is the default behavior.

  • "Allow all Queue-specific files" specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation.

The following are the supported values:

  • 0: Do not allow Queue-specific files.
  • 1 (Default): Limit Queue-specific files to Color profiles.
  • 2: Allow all Queue-specific files.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureCopyFilesPolicy
Friendly Name Manage processing of Queue-specific files
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
ADMX File Name Printing.admx

ConfigureDriverValidationLevel

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureDriverValidationLevel

This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that's required for a print driver to be considered valid and installed on the system.

As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation.

You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box.

If you disable or don't configure this policy setting, the default method is "Allow all validly signed drivers".

  • "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer.

  • "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.

  • "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).

  • "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.

  • "Allow all validly signed drivers" specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.

The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location.

The 'Trusted Publishers' certificate store can contain certificates from sources that aren't related to print drivers.

The following are the supported values:

  • 0: Require inbox signed drivers.
  • 1: Allow inbox and PrintDrivers Trusted Store signed drivers.
  • 2: Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers.
  • 3: Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers.
  • 4 (Default): Allow all validly signed drivers.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureDriverValidationLevel
Friendly Name Manage Print Driver signature validation
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\Driver
ADMX File Name Printing.admx

ConfigureIppPageCountsPolicy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppPageCountsPolicy

Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver.

By default, pages are sent to the printer as soon as they're rendered and page count information isn't sent to the printer unless pages must be reordered.

  • If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job.

  • If you disable this setting or don't configure it, pages are printed as soon as they're rendered and page counts are only sent when page reordering is required to process the job.

The following are the supported values:

  • 0 (Default): Disabled.
  • 1: Enabled.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureIppPageCountsPolicy
Friendly Name Always send job page count information for IPP printers
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\IPP
Registry Value Name AlwaysSendIppPageCounts
ADMX File Name Printing.admx

ConfigureRedirectionGuardPolicy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardPolicy

Determines whether Redirection Guard is enabled for the print spooler.

You can enable this setting to configure the Redirection Guard policy being applied to spooler.

  • If you disable or don't configure this policy setting, Redirection Guard will default to being 'Enabled'.

  • If you enable this setting you may select the following options:

  • Enabled: Redirection Guard will prevent any file redirections from being followed.

  • Disabled: Redirection Guard won't be enabled and file redirections may be used within the spooler process.

  • Audit: Redirection Guard will log events as though it were enabled but won't actually prevent file redirections from being used within the spooler.

The following are the supported values:

  • 0: Redirection guard disabled.
  • 1 (Default): Redirection guard enabled.
  • 2: Redirection guard audit mode.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureRedirectionGuardPolicy
Friendly Name Configure Redirection Guard
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
ADMX File Name Printing.admx

ConfigureRpcAuthnLevelPrivacyEnabled

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcAuthnLevelPrivacyEnabled

This policy setting controls whether packet level privacy is enabled for RPC for incoming connections.

By default packet level privacy is enabled for RPC for incoming connections.

If you enable or don't configure this policy setting, packet level privacy is enabled for RPC for incoming connections.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureRpcAuthnLevelPrivacyEnabled
Friendly Name Configure RPC packet level privacy setting for incoming connections
Location Computer Configuration
Path Printers
Registry Key Name System\CurrentControlSet\Control\Print
Registry Value Name RpcAuthnLevelPrivacyEnabled
ADMX File Name Printing.admx

ConfigureRpcConnectionPolicy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcConnectionPolicy

This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler.

By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines.

Protocol to use for outgoing RPC connections:

  • "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler
  • "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler.

Use authentication for outgoing RPC over named pipes connections:

  • "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes
  • "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections
  • "Authentication disabled": RPC authentication won't be used for outgoing RPC over named pipes connections.

If you disable or don't configure this policy setting, the above defaults will be used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureRpcConnectionPolicy
Friendly Name Configure RPC connection settings
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\RPC
ADMX File Name Printing.admx

ConfigureRpcListenerPolicy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcListenerPolicy

This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use.

By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol.

Protocols to allow for incoming RPC connections:

  • "RPC over named pipes": Incoming RPC connections are only allowed over named pipes
  • "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option)
  • "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes.

Authentication protocol to use for incoming RPC connections:

  • "Negotiate": Use the Negotiate authentication protocol (the default option)
  • "Kerberos": Use the Kerberos authentication protocol.

If you disable or don't configure this policy setting, the above defaults will be used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureRpcListenerPolicy
Friendly Name Configure RPC listener settings
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\RPC
ADMX File Name Printing.admx

ConfigureRpcTcpPort

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcTcpPort

This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.

By default dynamic TCP ports are used.

RPC over TCP port:

  • The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used.

If you disable or don't configure this policy setting, dynamic TCP ports are used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureRpcTcpPort
Friendly Name Configure RPC over TCP port
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\RPC
ADMX File Name Printing.admx

ConfigureWindowsProtectedPrint

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint

Determines whether Windows protected print is enabled on this computer.

By default, Windows protected print isn't enabled and there aren't any restrictions on the print drivers that can be installed or print functionality.

  • If you enable this setting, the computer will operate in Windows protected print mode which only allows printing to printers that support a subset of inbox Windows print drivers.

  • If you disable this setting or don't configure it, there aren't any restrictions on the print drivers that can be installed or print functionality.

For more information, please see [insert link to web page with WPP info]

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ConfigureWindowsProtectedPrint
Friendly Name Configure Windows protected print
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\WPP
Registry Value Name WindowsProtectedPrintGroupPolicyState
ADMX File Name Printing.admx

EnableDeviceControl

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl

Determines whether Device Control Printing Restrictions are enforced for printing on this computer.

By default, there are no restrictions to printing based on connection type or printer Make/Model.

  • If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers.

  • If you disable this setting or don't configure it, there are no restrictions to printing based on connection type or printer Make/Model.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnableDeviceControl
Friendly Name Enable Device Control Printing Restrictions
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
Registry Value Name EnableDeviceControl
ADMX File Name Printing.admx

EnableDeviceControlUser

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser

Determines whether Device Control Printing Restrictions are enforced for printing on this computer.

By default, there are no restrictions to printing based on connection type or printer Make/Model.

  • If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers.

  • If you disable this setting or don't configure it, there are no restrictions to printing based on connection type or printer Make/Model.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name EnableDeviceControlUser
Friendly Name Enable Device Control Printing Restrictions
Location User Configuration
Path Control Panel > Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
Registry Value Name EnableDeviceControl
ADMX File Name Printing.admx

ManageDriverExclusionList

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/ManageDriverExclusionList

This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that aren't allowed to be installed on the system.

This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded.

Entries in the exclusion list consist of a SHA256 hash (or SHA1 hash for Win7) of the INF file and/or main driver DLL file of the driver and the name of the file.

If you disable or don't configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name ManageDriverExclusionList
Friendly Name Manage Print Driver exclusion list
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\Driver
ADMX File Name Printing.admx

PointAndPrintRestrictions

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

  • If you enable this policy setting:

-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made.

-You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated.

  • If you don't configure this policy setting:

-Windows Vista client computers can point and print to any server.

-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

  • If you disable this policy setting:

-Windows Vista client computers can create a printer connection to any server using Point and Print.

-Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.

-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name PointAndPrint_Restrictions_Win7
Friendly Name Point and Print Restrictions
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Registry Value Name Restricted
ADMX File Name Printing.admx

PointAndPrintRestrictions_User

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./User/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions_User

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

  • If you enable this policy setting:

-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made.

-You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated.

  • If you don't configure this policy setting:

-Windows Vista client computers can point and print to any server.

-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

  • If you disable this policy setting:

-Windows Vista client computers can create a printer connection to any server using Point and Print.

-Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.

-Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.

-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name PointAndPrint_Restrictions
Friendly Name Point and Print Restrictions
Location User Configuration
Path Control Panel > Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Registry Value Name Restricted
ADMX File Name Printing.admx

PublishPrinters

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Printers/PublishPrinters

Determines whether the computer's shared printers can be published in Active Directory.

  • If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.

  • If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available.

Note

This settings takes priority over the setting "Automatically publish new printers in the Active Directory".

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name PublishPrinters
Friendly Name Allow printers to be published
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers
Registry Value Name PublishPrinters
ADMX File Name Printing2.admx

RestrictDriverInstallationToAdministrators

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Device/Vendor/MSFT/Policy/Config/Printers/RestrictDriverInstallationToAdministrators

Determines whether users that aren't Administrators can install print drivers on this computer.

By default, users that aren't Administrators can't install print drivers on this computer.

  • If you enable this setting or don't configure it, the system will limit installation of print drivers to Administrators of this computer.

  • If you disable this setting, the system won't limit installation of print drivers to this computer.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictDriverInstallationToAdministrators
Friendly Name Limits print driver installation to Administrators
Location Computer Configuration
Path Printers
Registry Key Name Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Registry Value Name RestrictDriverInstallationToAdministrators
ADMX File Name Printing.admx

Policy configuration service provider