Policy CSP - Printers
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
ApprovedUsbPrintDevices
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting.
When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing.
Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list.
The format of this setting is <vid>/<pid>[,<vid>/<pid>].
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ApprovedUsbPrintDevices |
| Friendly Name | List of Approved USB-connected print devices |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| ADMX File Name | Printing.admx |
ApprovedUsbPrintDevicesUser
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser
This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting.
When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing.
Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list.
The format of this setting is <vid>/<pid>[,<vid>/<pid>].
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ApprovedUsbPrintDevicesUser |
| Friendly Name | List of Approved USB-connected print devices |
| Location | User Configuration |
| Path | Control Panel > Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| ADMX File Name | Printing.admx |
ConfigureCopyFilesPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureCopyFilesPolicy
Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.
You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the "Manage processing of Queue-specific files" box.
If you disable or don't configure this policy setting, the default behavior is "Limit Queue-specific files to Color profiles".
"Do not allow Queue-specific files" specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation.
"Limit Queue-specific files to Color profiles" specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. "Limit Queue-specific files to Color profiles" is the default behavior.
"Allow all Queue-specific files" specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation.
The following are the supported values:
- 0: Do not allow Queue-specific files.
- 1 (Default): Limit Queue-specific files to Color profiles.
- 2: Allow all Queue-specific files.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureCopyFilesPolicy |
| Friendly Name | Manage processing of Queue-specific files |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| ADMX File Name | Printing.admx |
ConfigureDriverValidationLevel
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureDriverValidationLevel
This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that's required for a print driver to be considered valid and installed on the system.
As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation.
You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box.
If you disable or don't configure this policy setting, the default method is "Allow all validly signed drivers".
"Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer.
"Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
"Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
"Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
"Allow all validly signed drivers" specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location.
The 'Trusted Publishers' certificate store can contain certificates from sources that aren't related to print drivers.
The following are the supported values:
- 0: Require inbox signed drivers.
- 1: Allow inbox and PrintDrivers Trusted Store signed drivers.
- 2: Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers.
- 3: Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers.
- 4 (Default): Allow all validly signed drivers.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureDriverValidationLevel |
| Friendly Name | Manage Print Driver signature validation |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver |
| ADMX File Name | Printing.admx |
ConfigureIppPageCountsPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppPageCountsPolicy
Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver.
By default, pages are sent to the printer as soon as they're rendered and page count information isn't sent to the printer unless pages must be reordered.
If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job.
If you disable this setting or don't configure it, pages are printed as soon as they're rendered and page counts are only sent when page reordering is required to process the job.
The following are the supported values:
- 0 (Default): Disabled.
- 1: Enabled.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureIppPageCountsPolicy |
| Friendly Name | Always send job page count information for IPP printers |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\IPP |
| Registry Value Name | AlwaysSendIppPageCounts |
| ADMX File Name | Printing.admx |
ConfigureRedirectionGuardPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardPolicy
Determines whether Redirection Guard is enabled for the print spooler.
You can enable this setting to configure the Redirection Guard policy being applied to spooler.
If you disable or don't configure this policy setting, Redirection Guard will default to being 'enabled'.
If you enable this setting you may select the following options:
Enabled: Redirection Guard will prevent any file redirections from being followed.
Disabled: Redirection Guard won't be enabled and file redirections may be used within the spooler process.
Audit: Redirection Guard will log events as though it were enabled but won't actually prevent file redirections from being used within the spooler.
The following are the supported values:
- 0: Redirection guard disabled.
- 1 (Default): Redirection guard enabled.
- 2: Redirection guard audit mode.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureRedirectionGuardPolicy |
| Friendly Name | Configure Redirection Guard |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| ADMX File Name | Printing.admx |
ConfigureRpcAuthnLevelPrivacyEnabled
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcAuthnLevelPrivacyEnabled
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureRpcAuthnLevelPrivacyEnabled |
| ADMX File Name | Printing.admx |
ConfigureRpcConnectionPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcConnectionPolicy
This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler.
By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines.
Protocol to use for outgoing RPC connections:
- "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler
- "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler.
Use authentication for outgoing RPC over named pipes connections:
- "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes
- "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections
- "Authentication disabled": RPC authentication won't be used for outgoing RPC over named pipes connections.
If you disable or don't configure this policy setting, the above defaults will be used.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureRpcConnectionPolicy |
| Friendly Name | Configure RPC connection settings |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC |
| ADMX File Name | Printing.admx |
ConfigureRpcListenerPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcListenerPolicy
This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use.
By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol.
Protocols to allow for incoming RPC connections:
- "RPC over named pipes": Incoming RPC connections are only allowed over named pipes
- "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option)
- "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes.
Authentication protocol to use for incoming RPC connections:
- "Negotiate": Use the Negotiate authentication protocol (the default option)
- "Kerberos": Use the Kerberos authentication protocol.
If you disable or don't configure this policy setting, the above defaults will be used.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureRpcListenerPolicy |
| Friendly Name | Configure RPC listener settings |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC |
| ADMX File Name | Printing.admx |
ConfigureRpcTcpPort
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcTcpPort
This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.
By default dynamic TCP ports are used.
RPC over TCP port:
- The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used.
If you disable or don't configure this policy setting, dynamic TCP ports are used.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureRpcTcpPort |
| Friendly Name | Configure RPC over TCP port |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC |
| ADMX File Name | Printing.admx |
ConfigureWindowsProtectedPrint
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigureWindowsProtectedPrint |
| ADMX File Name | Printing.admx |
EnableDeviceControl
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
Determines whether Device Control Printing Restrictions are enforced for printing on this computer.
By default, there are no restrictions to printing based on connection type or printer Make/Model.
If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers.
If you disable this setting or don't configure it, there are no restrictions to printing based on connection type or printer Make/Model.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableDeviceControl |
| Friendly Name | Enable Device Control Printing Restrictions |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| Registry Value Name | EnableDeviceControl |
| ADMX File Name | Printing.admx |
EnableDeviceControlUser
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser
Determines whether Device Control Printing Restrictions are enforced for printing on this computer.
By default, there are no restrictions to printing based on connection type or printer Make/Model.
If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers.
If you disable this setting or don't configure it, there are no restrictions to printing based on connection type or printer Make/Model.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableDeviceControlUser |
| Friendly Name | Enable Device Control Printing Restrictions |
| Location | User Configuration |
| Path | Control Panel > Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| Registry Value Name | EnableDeviceControl |
| ADMX File Name | Printing.admx |
ManageDriverExclusionList
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/ManageDriverExclusionList
This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that aren't allowed to be installed on the system.
This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded.
Entries in the exclusion list consist of a SHA256 hash (or SHA1 hash for Win7) of the INF file and/or main driver DLL file of the driver and the name of the file.
If you disable or don't configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ManageDriverExclusionList |
| Friendly Name | Manage Print Driver exclusion list |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver |
| ADMX File Name | Printing.admx |
PointAndPrintRestrictions
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- If you enable this policy setting:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated.
- If you don't configure this policy setting:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- If you disable this policy setting:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | PointAndPrint_Restrictions_Win7 |
| Friendly Name | Point and Print Restrictions |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
| Registry Value Name | Restricted |
| ADMX File Name | Printing.admx |
PointAndPrintRestrictions_User
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./User/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions_User
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- If you enable this policy setting:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated.
- If you don't configure this policy setting:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- If you disable this policy setting:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | PointAndPrint_Restrictions |
| Friendly Name | Point and Print Restrictions |
| Location | User Configuration |
| Path | Control Panel > Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
| Registry Value Name | Restricted |
| ADMX File Name | Printing.admx |
PublishPrinters
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/PublishPrinters
Determines whether the computer's shared printers can be published in Active Directory.
If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available.
Note
This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | PublishPrinters |
| Friendly Name | Allow printers to be published |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
| Registry Value Name | PublishPrinters |
| ADMX File Name | Printing2.admx |
RestrictDriverInstallationToAdministrators
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/Printers/RestrictDriverInstallationToAdministrators
Determines whether users that aren't Administrators can install print drivers on this computer.
By default, users that aren't Administrators can't install print drivers on this computer.
If you enable this setting or don't configure it, the system will limit installation of print drivers to Administrators of this computer.
If you disable this setting, the system won't limit installation of print drivers to this computer.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | RestrictDriverInstallationToAdministrators |
| Friendly Name | Limits print driver installation to Administrators |
| Location | Computer Configuration |
| Path | Printers |
| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
| Registry Value Name | RestrictDriverInstallationToAdministrators |
| ADMX File Name | Printing.admx |
Related articles
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for