Enable Print Spooler Redirection Guard Using Intune

Overview

The Print Spooler Redirection Guard policy is a security control in Microsoft Intune that mitigates local privilege escalation (LPE) vulnerabilities in the Windows Print Spooler service (spoolsv.exe). By blocking untrusted file system redirections within the spooler, this policy reduces the attack surface without relying on repeated CVE-by-CVE patching.

In this article, you’ll configure the Configure Redirection Guard: Redirection Guard Options setting via the Intune Settings Catalog and deploy it to a device group.

⚠️ Important
Enabling this policy may break legacy enterprise printing software or custom document management systems that use directory junctions to route print jobs between folders. Test in a pilot group before broad deployment.

Prerequisites

  • Microsoft Intune license (P1 or P2)
  • Devices running Windows 10 or later, enrolled in Intune
  • Intune Administrator or Policy and Profile Manager role
  • A target Azure AD / Entra ID device group

What Is Redirection Guard?

Redirection Guard is a “secure-by-design” feature in Windows that prevents the Print Spooler from following file system junctions, symbolic links, or other redirections created by non-administrator processes. This directly addresses a class of privilege escalation exploits that abuse the spooler’s SYSTEM-level context to write files to arbitrary locations via redirected paths.

Setting Value Behaviour Recommended For
Enabled Blocks untrusted file system redirections in the spooler Most enterprise environments
Disabled Allows all redirections (legacy behaviour) Environments with legacy print workflows only
Not Configured System default; no policy enforced Not recommended for managed devices

Step 1 — Create a New Configuration Policy

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Configuration > + Create > New Policy.
  3. On the Create a profile pane, set:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Click Create.

Step 2 — Name the Policy

  1. On the Basics tab, enter a descriptive Name — for example, WIN-SEC-PrintSpoolerRedirectionGuard.
  2. Optionally add a Description explaining the security intent.
  3. Click Next.
💡 Tip
Use a consistent naming convention (e.g., WIN-SEC- prefix for Windows security policies) to make policies easier to filter and audit in large environments.

Step 3 — Add the Setting

  1. On the Configuration settings tab, click + Add settings.
  2. In the Settings picker, browse to:
    Administrative Templates > Printers
  3. Select Configure Redirection Guard: Redirection Guard Options.
  4. Close the picker. The setting now appears in the configuration list.
  5. Set the toggle to Enabled.
  6. In the dropdown that appears, select Redirection Guard Enabled.
  7. Click Next.

Step 4 — Scope Tags (Optional)

If your organization uses scope tags to restrict admin visibility by region or department, add them on the Scope tags tab. Otherwise, click Next to skip.

Step 5 — Assign to a Group

  1. On the Assignments tab, under Included groups, click + Add groups.
  2. Search for and select your target device group.
  3. Click Select, then Next.
💡 Tip
Deploy to a pilot group first. Use Excluded groups to carve out devices that run legacy print middleware until you’ve confirmed compatibility.

Step 6 — Review and Create

  1. On the Review + create tab, verify all settings — platform, profile type, setting value, and assignment.
  2. Click Create. A success banner confirms the policy has been saved.

Verify Policy Deployment

Check device status in Intune

  1. Go to Devices > Configuration and search for your policy.
  2. Click the policy name, then select Device and user check-in status.
  3. Confirm the status shows Succeeded for enrolled devices.
📝 Note
To speed up policy delivery, trigger a manual sync on the client device via Settings > Accounts > Access work or school > Info > Sync or through the Company Portal app.

Confirm via Event Viewer

  1. On the client device, open Event Viewer.
  2. Navigate to:
    Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
  3. Look for an event containing the policy name ConfigureRedirectionGuardPolicy under the Printers area. A successful entry confirms the MDM policy engine has applied the setting.

Remove or Delete the Policy

To stop enforcing this setting, either remove the assigned group from the policy’s Assignments tab, or delete the policy entirely from Devices > Configuration. Removing the assignment reverts managed devices to their system default on the next check-in cycle.

Summary

The Print Spooler Redirection Guard policy is a low-effort, high-impact hardening step for any Windows fleet managed by Intune. It closes off a well-documented privilege escalation pathway in the Print Spooler — without requiring any client-side software or additional licensing. For most organizations, enabling it via Settings Catalog should be standard practice alongside other spooler hardening policies such as Windows Protected Print and Turn Off Downloading of Print Drivers Over HTTP.

Related Articles

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by