How to Enable Print Spooler Redirection Guard Using Microsoft Intune

Start by logging into the Microsoft Intune admin center and navigating to the configuration profiles section where you'll create a new policy.

Open your web browser and navigate to https://endpoint.microsoft.com. Sign in with your administrator credentials that have Intune permissions.

Once logged in, follow this navigation path:

1. Click Devices in the left navigation pane
2. Select Configuration profiles
3. Click Create profile button

In the profile creation wizard, configure the basic settings:

• Platform: Select "Windows 10 and later"
• Profile type: Choose "Settings catalog"
• Click Create

Set up the profile name, description, and basic metadata that will help you identify and manage this policy in your Intune environment.

In the Basics tab of the profile creation wizard, enter the following information:

Name: CIS 4.7.2 - Print Spooler Redirection Guard
Description: Enable Print Spooler Redirection Guard (CIS Level 1 Benchmark 4.7.2) - Prevents file redirection attacks in spooler process and reduces attack surface

This naming convention follows CIS benchmark standards and clearly identifies the security control being implemented. The description provides context for other administrators who might review this policy later.

Click Next to proceed to the configuration settings section.

Now you'll add the specific Print Spooler Redirection Guard setting from Microsoft's comprehensive settings catalog.

In the Configuration settings tab, click the Add settings button. This opens the settings picker where you can search for specific policies.

In the search box, type Redirection Guard and press Enter. You should see the following setting appear:

Category: Printers
Setting Name: Configure Redirection Guard: Redirection Guard Options
Path: ./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardRedirectionGuardOptions

Select this setting by checking the box next to it, then click Add. The setting will now appear in your configuration list.

Configure the setting value:

• Configure Redirection Guard: Redirection Guard Options: Set to Enabled: Redirection Guard Enabled
• This corresponds to integer value 1 in the underlying registry

Define which devices and users will receive this Print Spooler Redirection Guard policy through strategic group assignments.

Click Next to reach the Assignments tab. Here you'll specify which devices should receive this security policy.

For enterprise-wide deployment, configure assignments as follows:

1. Click Add group under "Included groups"
2. Select All devices or create a specific device group like "Windows 11 Enterprise Devices"
3. Choose Assignment type: Required (this ensures the policy is enforced)

For phased deployment approach:

Phase 1: Pilot Group (10-50 devices)
Phase 2: Department Groups (IT, Security teams)
Phase 3: All Enterprise Devices

If you need to exclude specific devices (like print servers or legacy systems), use the "Excluded groups" section:

1. Click Add group under "Excluded groups"
2. Select groups containing devices that should not receive this policy

Configure applicability rules to ensure the policy only applies to compatible Windows versions that support Print Spooler Redirection Guard.

Click Next to access the Applicability Rules tab. This step is crucial because the Redirection Guard feature requires specific Windows versions.

Create a new applicability rule:

1. Click Add rule
2. Configure the rule parameters:

Rule: Device
Property: OS version
Operator: Greater than or equal to
Value: 10.0.22621 (Windows 11 22H2)

For organizations with mixed Windows 10/11 environments, add an additional rule:

Rule: Device
Property: OS version
Operator: Greater than or equal to
Value: 10.0.19044 (Windows 10 22H2)

Use OR logic between these rules to support both operating systems.

The rule ensures that only devices running Windows 11 22H2+ or Windows 10 22H2+ will receive this policy, preventing errors on older systems that don't support the CSP.

Complete the policy creation process by reviewing all settings and deploying the Print Spooler Redirection Guard configuration to your target devices.

Click Next to reach the Review + create tab. This final step allows you to verify all configuration details before deployment.

Review the following key elements:

• Profile name: CIS 4.7.2 - Print Spooler Redirection Guard
• Settings: Configure Redirection Guard = Enabled
• Assignments: Verify correct device groups
• Applicability: Windows version rules are properly set

Once you've confirmed all settings are correct, click Create to deploy the policy.

The policy will now begin deploying to assigned devices. Initial deployment typically takes 15-30 minutes, but can take up to 8 hours for all devices to receive and apply the policy.

Track the deployment progress and verify that devices are successfully receiving and applying the Print Spooler Redirection Guard policy.

Navigate to your newly created policy in the Intune admin center:

1. Go to Devices → Configuration profiles
2. Click on your "CIS 4.7.2 - Print Spooler Redirection Guard" policy
3. Review the Overview dashboard

The overview provides key deployment metrics:

Device status:
- Succeeded: Devices that successfully applied the policy
- Error: Devices that encountered errors
- Conflict: Devices with conflicting policies
- Not applicable: Devices that don't meet applicability rules

For detailed troubleshooting, click on Device status to see individual device results. Common status indicators include:

• Success: Policy applied correctly
• Pending: Device hasn't checked in yet (normal for up to 8 hours)
• Error: Check device logs or applicability rules

Confirm that the Print Spooler Redirection Guard policy has been successfully applied on individual Windows devices using PowerShell verification commands.

Connect to a target device (via RDP, local access, or remote PowerShell) and open an elevated PowerShell session. Run the following commands to verify policy application:

Check Registry Value (Applied State):

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Printers" -Name "ConfigureRedirectionGuardRedirectionGuardOptions" -ErrorAction SilentlyContinue

Expected output should show:

ConfigureRedirectionGuardRedirectionGuardOptions : 1

Check Effective Policy State:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RedirectionguardPolicy" -ErrorAction SilentlyContinue

Verify Print Spooler Service Status:

Get-Service -Name "Spooler" | Select-Object Name, Status, StartType

Check Event Logs for Redirection Guard Activity:

Get-WinEvent -LogName "Microsoft-Windows-PrintService/Operational" -MaxEvents 10 | Where-Object {$_.Id -eq 316} | Select-Object TimeCreated, Id, LevelDisplayName, Message

Perform comprehensive testing to ensure that normal printing operations work correctly while malicious file redirection attempts are properly blocked.

Test Normal Printing Operations:

1. Print a test document to a network printer
2. Print to a local USB printer
3. Test print preview and print queue operations
4. Verify PDF printing and XPS document writer functionality

Test Remote Desktop Printing (if applicable):

# Check RDP printer redirection status
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "fDisableCpm" -ErrorAction SilentlyContinue

Simulate Security Test (Advanced Users Only):

The Redirection Guard specifically prevents non-administrative processes from redirecting files through the print spooler. This test should only be performed in isolated test environments:

# Check if redirection attempts are logged
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Operational" -FilterHashtable @{ID=316} -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap

Document Test Results:

• Normal printing: ✓ Working
• Network printers: ✓ Accessible
• Print queues: ✓ Functional
• Security controls: ✓ Active (no redirection events)