βοΈπͺπ»CP - Security - Print Spooler Hardening
What this policy is about π¨οΈβ
Remember the summer everyone's least favorite Windows service tried to speedrun "remote code execution as SYSTEM, but make it printable"?
Yeah. We don't talk about it. We just patch around it forever. π©Ή
The Print Spooler is one of those Windows services that's been running since Clippy was a junior dev. It's old. It's chatty. It runs as SYSTEM. And for a long time it would happily install any driver any user pointed at it, including drivers hosted on a print server in, let's say, not Kansas anymore. πͺοΈ
This policy is the bouncer at the door of the spooler.
It keeps printing working for normal users (Karen still needs to print the meeting agenda nobody reads). It just stops the spooler from being a remote-code-execution vending machine.
Think of it as "yes you may print, no you may not summon a SYSTEM shell while doing it." π«π
Why this matters πβ
The print spooler is the gift that keeps on giving to attackers. In its unhardened factory state:
- Any user can install a printer driver. Including a "driver" that is actually a payload wearing a trench coat. π΄οΈ
- Point and Print will silently pull drivers from a remote server with no elevation prompt. Whoever controls that server controls every workstation that connects.
- Queue-specific files let drivers ship arbitrary DLLs alongside the print job. What could possibly go wrong.
- The spooler runs as SYSTEM. So when it gets popped, the attacker doesn't get a user shell. They get the shell.
For an MKB tenant, that's not a theoretical problem. It's the kind of thing that turns into a Sunday-evening incident call, a long week, and a very awkward conversation about cyber insurance. βοΈ
Hardening the spooler doesn't stop people from printing. It stops the spooler from being the easiest way into a fleet of laptops.
π οΈ Configuration Settingsβ
All values applied via Settings Catalog, device scope. The spooler service stays running. You still want to print; you're just being picky about how.
| Setting | Value | Why |
|---|---|---|
| Point and Print Restrictions | Enabled | Turns on the whole guardrail set below. Without this, the rest of the Point and Print settings are decoration. |
| Point and Print, When installing drivers for a new connection | Show warning and elevation prompt | New printer connections require admin credentials to install a driver. No more silent drive-by driver installs. |
| Point and Print, When updating drivers for an existing connection | Show warning and elevation prompt | The original CVE escape hatch. Existing connections were the loophole. Close it. |
| Restrict driver installation to administrators (RestrictDriverInstallationToAdministrators) | Enabled (value 1) | Standard users can no longer install print drivers at all, regardless of Point and Print state. Belt-and-suspenders. |
| Configure RPC over named pipes for the Print Spooler (RpcUseNamedPipeProtocol) | Disabled (value 0) | Forces spooler RPC to use TCP only. Named pipes is the legacy channel several spooler exploits rode in on. |
| Configure RPC connection settings, Protocol to use for outgoing RPC connections | RPC over TCP | Same idea, the outbound side. Modern, authenticated, less exploitable. |
| Configure RPC connection settings, Authentication protocol | Negotiate | Don't let the spooler downgrade to anonymous RPC. Ever. Kerberos-only breaks workgroup printers and dev VMs, so we stop at Negotiate for the baseline. |
| Configure RPC listener settings, Protocols to allow for incoming RPC connections | RPC over TCP | Mirrors the outbound setting on the listener side. |
| Configure RPC listener settings, Authentication protocol | Negotiate | Same logic as above. Authenticated channel only. |
| Limits print driver installation to Administrators | Enabled | The Group Policy-equivalent twin of the registry value above. Setting both means the policy survives whichever surface gets read first. |
| Package Point and print, Only use Package Point and Print | Enabled | Only signed, package-aware drivers may be installed via Point and Print. Cuts off the entire "unsigned legacy driver as malware delivery" category. |
| Package Point and print, Approved servers (enable) | Enabled | Activates the approved-server allow-list. Without this toggle on, the list below is ignored. |
| Package Point and print, Approved servers (list) | Empty, or your known print servers | If you have on-prem print servers, list them. If you don't (most MKB clients), an empty list with the toggle above enabled means no server is approved. The safest default in a cloud-only world. |
| Allow Print Spooler to accept client connections | Disabled | On client workstations nobody should be hosting print queues. This kills the inbound listener entirely on laptops. (See caveats: exempt actual print servers.) |
| Manage processing of Queue-specific files | Limit Queue-specific files to Color profiles | Stops drivers from dropping arbitrary executables next to the print queue. This was a real exploit primitive, not a hypothetical. |
The spooler service itself is left running. We're hardening it, not amputating it. If you actually want to disable the spooler on a subset of devices (kiosks, signage, jump boxes), that's a separate policy with a separate group. Don't bake it into the baseline. βοΈ
Caveats β οΈβ
A few honest things to flag before you push this to All Devices and walk away.
License fit. Everything here is straight Settings Catalog / ADMX on Windows 11 Pro/Business. Business Premium covers it. No E3, no E5, no add-on SKUs. You're good. π
LOB-app breakage to expect. This is the part nobody warns you about until ticket #47 rolls in.
- Label printers (Zebra, Brother QL series, Dymo). Their installers love dropping unsigned, non-package-aware drivers via custom installers running as the user. With this policy, the user-mode install path is gone. You will need to pre-stage these drivers via Win32 app deployment or include them in the Autopilot image. π¦
- Accounting and POS software (Exact, AFAS, SnelStart, the usual suspects) often ship printer-driver bundles that assume the user can elevate during install. Pre-stage or use a remediation script.
- Old multi-function devices with vendor "smart" drivers that haven't been repackaged since Windows 7. If the driver isn't package-aware, Package Point and Print will refuse it. The fix is a modern universal print driver from the vendor (they all have one, they just don't make it the default download).
- On-prem print servers. If a customer still has one (some do, especially with legacy ERP setups), add it to Approved servers. Otherwise Point and Print blocks every queue on it.
- Third-party PDF printers (Foxit, Nitro, Kofax and friends). Their installers register a virtual print driver during setup. Win32-deployed via Intune as SYSTEM: fine. User-initiated install from a Company Portal or vendor downloader: silently fails on the driver step. Pre-stage these through Win32 app deployment.
Reversibility, read this twice. Almost every setting in this policy writes under HKLM\Software\Policies\Microsoft\Windows NT\Printers\β¦ or the equivalent CSP surface, and those values tattoo. Excluding a device from this profile does not roll them back. It just stops further enforcement. A device that previously received the policy stays hardened until something explicitly resets the values.
That's why this policy ships with a paired counter-policy: βοΈπͺπ»πCP - Security - Print Spooler Hardening - Exemption. Assign that one to the exemption group and it explicitly resets every value back to its pre-policy default. Exclusion alone is not enough. π
"Accept client connections = Disabled" gotcha. This setting stops the device from acting as a print server. Fine on laptops. Not fine on a Windows machine that intentionally shares a printer for a small office (you see this in tiny MKB setups where the shop-floor PC shares a label printer over the network). Carve those out with the exception group.
π‘ SuperVision tipβ
This is a baseline policy. Goes in the Golden Master under Windows β Security β Configuration Profiles, assigned to All Devices with the standard Autopilot carve-outs.
No tag candidates here. The values are not customer-preference settings. They're "yes you want this on" or "no you have a specific reason not to." Don't tag-ify hardening switches. That's how baselines get watered down one override at a time. πͺ£
Exception group is mandatory. Create π‘οΈπͺπ»ππβοΈGroup - Print Spooler Hardening Exemption for the genuine edge cases:
- The one workstation in the warehouse that shares a Zebra label printer to four other devices over SMB
- Dev workstations that need to test print driver installs
- The customer with a stubborn LOB app that ships its own driver and refuses to be Win32-packaged
Membership in this group should require a written justification, same energy as the Screen Lock Disabled exception. Review quarterly. "Temporary" exceptions have a habit of celebrating their fifth birthday. π
Drift detection. Worth watching. The settings most likely to drift are the Point and Print elevation prompts. Some helpdesk scripts and vendor installers will try to flip them back to "do not show warning" during driver installs. Config Refresh and SuperVision drift detection will catch that within the refresh window. If you see the same device drifting weekly, that's not drift. That's a vendor installer fighting your policy, and you need to repackage the install.
Multi-tenant scaling. This policy is identical across every customer. No variants, no per-customer fields, no tags. Exactly what you want in a Golden Master. One definition, deployed everywhere. The only variable is who's in the exemption group per tenant.
π₯ Group Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - IoT
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - Kiosk
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - W365 Boot
- π‘οΈπͺπ»ππβοΈGroup - Print Spooler Hardening Exemption
Why? Kiosks, IoT and W365 Boot devices live in their own little ecosystems. They either don't print, don't have users, or don't share their session in any way that makes spooler hardening meaningful. The Print Spooler Hardening Exemption group is for the documented edge cases (see the SuperVision tip).
Everyone else gets the policy. No negotiation. Printing still works. Driver-based remote code execution does not. π
Tagsβ
π‘οΈπͺπ»ππβοΈGroup - Print Spooler Hardening Exemption
Standardize like a pro. Configure with intent. And remember: the goal isn't to stop people from printing. It's to stop the spooler from printing shells. π