CSP Printers - new policy updates

2025-05-12 05:17:22 +00:00 · 2022-09-01 13:23:28 +05:30 · 2022-09-01 13:23:28 +05:30 · 15ab47172e
commit 15ab47172e
parent 595774fc7f
2 changed files with 614 additions and 128 deletions
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -7895,6 +7895,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
 ### Printers policies
 <dl>
  <dd>
    <a href="./policy-csp-printers.md#printers-approvedusbprintdevices" id="printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-approvedusbprintdevicesuser" id="printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurecopyfilespolicy" id="printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configuredrivervalidationlevel" id="printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configureipppagecountspolicy" id="printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configureredirectionguard" id="printers-configureredirectionguard">Printers/ConfigureRedirectionGuard</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpcconnectionpolicy" id="printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpclistenerpolicy" id="printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpctcpport" id="printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-enabledevicecontrol" id="printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-enabledevicecontroluser" id="printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-managedriverexclusionlist" id="printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
  </dd>
@ -7904,6 +7940,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-restrictdriverinstallationtoadministrators" id="printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
  </dd>
 </dl>
 ### Privacy policies
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@ -27,12 +27,36 @@ manager: aaroncz
  <dd>
    <a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
  </dd>
  <dd>
    <a href="#printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
  </dd>
  <dd>
    <a href="#printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configureredirectionguard">Printers/ConfigureRedirectionGuard</a>
  </dd>
  <dd>
    <a href="#printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
  </dd>
  <dd>
    <a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
  </dd>
  <dd>
    <a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
  </dd>
  <dd>
    <a href="#printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
  </dd>
  <dd>
    <a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
  </dd>
@ -42,6 +66,9 @@ manager: aaroncz
  <dd>
    <a href="#printers-publishprinters">Printers/PublishPrinters</a>
  </dd>
  <dd>
    <a href="#printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
  </dd>
 </dl>
 > [!TIP]
@ -57,38 +84,14 @@ manager: aaroncz
 <a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -129,38 +132,14 @@ ADMX Info:
 <a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -194,42 +173,423 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurecopyfilespolicy"></a>**Printers/ConfigureCopyFilesPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to `SyncCopyFilestoColorFolderOnly` as the value and process the CopyFiles entries as appropriate.
 If the policy object is Enabled, the code will read the `DWORD `value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD. Defaults to 1.
 - 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections.
 - 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
 - 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage processing of Queue-specific files*
 -   GP name: *ConfigureCopyFilesPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configuredrivervalidationlevel"></a>**Printers/ConfigureDriverValidationLevel**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to `DriverValidationLevel_Legacy` as the value and process the print driver digital signatures as appropriate.
 If the policy object is Enabled, the code will read the `DWORD`value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD. Defaults to 4.
 - 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer.
 - 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
 - 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
 - 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
 - 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage processing of Queue-specific files*
 -   GP name: *ConfigureDriverValidationLevel*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configureipppagecountspolicy"></a>**Printers/ConfigureIppPageCountsPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary.
 If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs.
 The following are the supported values:
 AlwaysSendIppPageCounts: DWORD. Defaults to 0.
 - 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**.
 - 1 (Enabled) - Job accounting information will always be sent for IPP print jobs.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Always send job page count information for IPP printers*
 -   GP name: *ConfigureIppPageCountsPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configureredirectionguard"></a>**Printers/ConfigureRedirectionGuard**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used.
 If the policy object is Enabled, the code will read the DWORD value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD, defaults to 1.
 - 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process.
 - 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used.
 - 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled.  
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Redirection Guard*
 -   GP name: *ConfigureRedirectionGuardPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpcconnectionpolicy"></a>**Printers/ConfigureRpcConnectionPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack.
 There are 2 values which can be configured:
 - RpcUseNamedPipeProtocol DWORD
     - 0: RpcOverTcp (default)
     - 1: RpcOverNamedPipes
 - RpcAuthentication DWORD
     - 0: RpcConnectionAuthenticationDefault (default)
     - 1: RpcConnectionAuthenticationEnabled
     - 2: RpcConnectionAuthenticationDisabled
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines.
 If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly.
 The following are the supported values:
 - Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines.
 - Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC connection settings*
 -   GP name: *ConfigureRpcConnectionPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpclistenerpolicy"></a>**Printers/ConfigureRpcListenerPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack.
 There are 2 values which can be configured:
 - RpcProtocols DWORD
     - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes
     - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default)
     - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP
 - ForceKerberosForRpc DWORD
     - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support
     - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*.
 If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
 The following are the supported values:
 - Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol.
 - Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC listener settings*
 -   GP name: *ConfigureRpcListenerPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpctcpport"></a>**Printers/ConfigureRpcTcpPort**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage a new DWORD Value added under the  the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack.
 - RpcTcpPort DWORD
     - 0: Use dynamic TCP ports for RPC over TCP (default).
     - 1-65535: Use the given port for RPC over TCP.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*.
 If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
 The following are the supported values:
 - Not configured  or Disabled - The print stack uses dynamic TCP ports for RPC over TCP.
 - Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC over TCP port*
 -   GP name: *ConfigureRpcTcpPort*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -274,38 +634,14 @@ ADMX Info:
 <a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -345,6 +681,62 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="printers-managedriverexclusionlist"></a>**Printers/ManageDriverExclusionList**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list.
 If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value.
 The following are the supported values:
 Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList`
 Type: REG_SZ
 Value Name: Hash of excluded file
 Value Data: Name of excluded file
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage processing of Queue-specific files*
 -   GP name: *ManageDriverExclusionList*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**  
@ -548,6 +940,61 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-restrictdriverinstallationtoadministrators"></a>**Printers/RestrictDriverInstallationToAdministrators**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. 
 This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup.
 The default value of the policy will be Unconfigured.
 If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer.
 If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer.
 The following are the supported values:
 - Not configured or Enabled - Only administrators can install print drivers on the computer.
 - Disabled - Standard users are allowed to install print drivers on the computer.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Restrict installation of print drivers to Administrators*
 -   GP name: *RestrictDriverInstallationToAdministrators*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--/Policies-->
 ## Related topics