Key Takeaways:
- Print Spooler Redirection Guard Options Policy
- Prevents “untrusted” (non-administrator created) file system
- Malicious redirection of print jobs
- Reducing attack surfaces in enterprise environments
Let’s discuss Enable Print Spooler Redirection Guard Option using Intune. This policy setting determines whether Redirection Guard is enabled for the print spooler. Redirection Guard can prevent file redirections from being used within the print spooler.
Table of Contents
Table of Contents
Enable Print Spooler Redirection Guard Option using Intune
The Intune policy setting “Configure Redirection Guard: Redirection Guard Options” is a critical security control designed to mitigate a specific class of local privilege escalation (LPE) vulnerabilities related to the Windows Print Spooler and file system junctions.
- Policy to Turn Off Downloading of Print Drivers Over HTTP using Intune
- Enable Disable Device Control Printing Restrictions Policy using Intune
- How to Enable Windows Protected Print to Eliminate Print Vulnerabilities using Intune
Configure Policy from Intune Portal
This policy setting Enable Print Spooler Redirection Guard Option. Sign in to the Microsoft Intune Portal with Credentials. Navigate to Devices > Configuration > + Create > New Policy.
Profile Choosing Step
After that you can choose appropriate platform and profile type. This is necessary step for policy creation and you cannot change profile and platform after creating profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Begin Policy with Basic Tab
Basic Tab is the first tab that helps users to give identity for policy. For this you can add Name and description for the settings you want to select for policy creation. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Print Spooler Policy
After that you will get Configuration settings tab which helps you to access specific settings. To get the settings click on the +Add settings hyperlink and select specific settings from Settings Picker. Here, I would like to select the settings by browsing by Category. I choose Administrative Templates\Printers\Configure Redirection Guard: Redirection Guard Options.
Disable Print Spooler Redirection Guard Option
Some very old enterprise printing software or custom document management systems might use directory junctions to move print jobs between folders. Enabling this would cause those print jobs to fail.
Enable Print Spooler Redirection Guard Option
The Windows Print Spooler (spoolsv.exe) has been a frequent target for hackers. This policy adds a “Secure-by-Design” layer that doesn’t rely on constant patching of individual CVEs.
Adding Scope Tags
Scope Tag is not a mandatory step for policy creation. But you can add Scope tags for visibility restrictions. Here, I don’t add scope tags for Enterprise IP Range Policy. Click on the Next button.
Selecting Group from the Assignment Tab
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Finalize Policy
This is the Fina step for policy creation. You can review all the details on this tab and avoid misconfiguration. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Device Check-in Status
Device Check-in Status Page shows if the Policy is succeeded or Not. Before checking this, you can sync the device on Company Portal for Faster policy deployment. Then Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer
Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
| Event ID Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (ConfigureRedirectionGuardPolicy), Area: (Printers), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Print Spooler Redirection Guard Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to WPrint Spooler Redirection Guard Policy
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the WhatsApp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair is a Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is a blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, and Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, and Microsoft Security.