Policy
Set TLS/SSL security policy for IPP printers
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows11
Determines the TLS/SSL security policy (WINHTTP_OPTION_SECURITY_FLAGS) for printers using the Microsoft IPP Class Driver. By default, security policy is set to ignore all certificate errors, allowing use of self-signed certificates for printers. If you enable this setting the system defaults to enabling all certificate checking, disallowing certificate errors. Specific certificate checking can be set with the given checkboxes. If you disable this setting or do not configure it, the default is to ignore all certificate errors (all checkboxes unchecked).
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Disallow invalid certificate authority ID SecurityFlagsBlockUnknownCA | boolean | HKLM\Software\Policies\Microsoft\Windows NT\Printers\IPP\SecurityFlagsBlockUnknownCA Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Disallow non-server certificates ID SecurityFlagsBlockCertWrongUsage | boolean | HKLM\Software\Policies\Microsoft\Windows NT\Printers\IPP\SecurityFlagsBlockCertWrongUsage Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Disallow invalid certificate common name ID SecurityFlagsBlockCertCNInvalid | boolean | HKLM\Software\Policies\Microsoft\Windows NT\Printers\IPP\SecurityFlagsBlockCertCNInvalid Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Disallow invalid certificate date ID SecurityFlagsBlockCertDateInvalid | boolean | HKLM\Software\Policies\Microsoft\Windows NT\Printers\IPP\SecurityFlagsBlockCertDateInvalid Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Other policies in this category
Explore related policies at the same level.
- ComputerActivate Internet printingWindows 2000 only
- ComputerAdd Printer wizard - Network scan page (Managed network)At least Windows Vista
- ComputerAdd Printer wizard - Network scan page (Unmanaged network)At least Windows Vista
- ComputerAllow job name in event logsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerAllow Print Spooler to accept client connectionsAt least Windows Server 2003
- ComputerAllow printers to be publishedAt least Windows 2000
- ComputerAllow pruning of published printersAt least Windows 2000
- ComputerAlways rasterize content to be printed using a software rasterizerAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerAlways render print jobs on the serverAt least Windows Vista
- ComputerAlways send job page count information for IPP printersAt least Windows Server 2016, Windows 10
- ComputerAutomatically publish new printers in Active DirectoryWindows Server 2003, Windows XP, and Windows 2000 only
- ComputerChange Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)At least Windows Server 2012, Windows 8 or Windows RT