Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy

Key Takeaways:

  • Limits the spooler’s ability to execute or copy files
  • Ensures that only authorized print queues and files are accessible
  • Admins can configure and deploy this policy through Intune
  • Protects against data leakage in shared environments

Let’s discuss How to Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy. This policy controls whether the Print Spooler service will process “Queue-specific” files. These are additional files (like configuration files or custom DLLs) that a printer driver tries to install or execute when a print queue is created.

Table of Contents

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy

This policy was introduced and popularized as a direct response to the PrintNightmare vulnerabilities (such as CVE-2021-34527), which allowed attackers to gain SYSTEM-level privileges by exploiting how the Print Spooler handled printer driver files.

By enabling this, you close a major “hole” in the Print Spooler. It prevents “Point and Print” attacks where a user connecting to a malicious print server could unknowingly download and execute malware with admin rights.

Example Scenario

For example, A bank manages thousands of Windows 11 laptops via Intune. Because they handle sensitive data, they cannot risk a Print Nightmare-style exploit. By enabling this policy if a rogue employee sets up a “fake” printer on the network to try and trick other laptops into downloading a malicious file, the Intune policy blocks the spooler from processing that file. The attack fails.

Patch My PC

How to Start Policy Creation

As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.1
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.1

Profile Creation

Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to  Windows 10 and later platform and settings catalog profile. Then click on the Create button.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.2
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.2

Adding Basic Details

Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.3
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.3

Configure Queue Specific Files Policy

With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose System. Then, I choose Administrative Templates\Printers\Manage processing of Queue-specific files: Manage processing of Queue-specific files.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policye - Fig.4
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.4

Disable Queue Specific Files Policy

If you disable or don’t configure this policy setting, the default behavior is “Limit Queue-specific files to Color profiles”. Click on the Next button to continue.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.5
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.5

Enable Queue Specific Files Policy

You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the “Manage processing of Queue-specific files” box.

Values
“Do not allow Queue-specific files” specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation.
“Limit Queue-specific files to Color profiles” specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. “Limit Queue-specific files to Color profiles” is the default behavior.
Allow all Queue-specific files” specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation.
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Table.1
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.6
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.6

Scope Tags

With scope tags, you create a restriction to the visibility of the Read Aloud feature in Microsoft Edge. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.7
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.7

Assignments Tab for Selecting Group

To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.8
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.8

Review + Create Tab

Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.9
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.9

Monitoring Status

The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.10
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.10

Event Viewer Details

Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft >  Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

MDM PolicyManager: Set policy string, Policy: (ConfigureCopyFilesPolicy), Area: (Printers),
EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), String: (), Enrollment Type:
(0x6), Scope: (0x0).

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.11
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.11

Removing the Assigned Group from Queue Specific Files Settings

If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.

To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.12
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.12

How to Delete Queue Specific Files

You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.

For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.13
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.13

Windows CSP Details

Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy - Fig.14
Manage Extra Files Downloaded when Connecting to a Shared Printer using Intune Policy – Fig.14

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community  and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM,  Windows,  Cloud PC,  Windows, Entra, Microsoft Security, Career, etc.

Leave a Comment