Manage Print Driver signature validation

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box. If you disable or do not configure this policy setting, the default method is "Allow all validly signed drivers". -- "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer. -- "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. -- "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). -- "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. -- "Allow all validly signed drivers" specfies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location. The 'Trusted Publishers' certificate store can contain certificates from sources that are not related to print drivers.

No explicit registry values are set for enabled or disabled states.

• Computer
  Activate Internet printing

  Windows 2000 only
• Computer
  Add Printer wizard - Network scan page (Managed network)

  At least Windows Vista
• Computer
  Add Printer wizard - Network scan page (Unmanaged network)

  At least Windows Vista
• Computer
  Allow job name in event logs

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Allow Print Spooler to accept client connections

  At least Windows Server 2003
• Computer
  Allow printers to be published

  At least Windows 2000
• Computer
  Allow pruning of published printers

  At least Windows 2000
• Computer
  Always rasterize content to be printed using a software rasterizer

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Always render print jobs on the server

  At least Windows Vista
• Computer
  Always send job page count information for IPP printers

  At least Windows Server 2016, Windows 10
• Computer
  Automatically publish new printers in Active Directory

  Windows Server 2003, Windows XP, and Windows 2000 only
• Computer
  Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)

  At least Windows Server 2012, Windows 8 or Windows RT