Policy
Manage Print Driver signature validation
This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box. If you disable or do not configure this policy setting, the default method is "Allow all validly signed drivers". -- "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer. -- "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. -- "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). -- "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. -- "Allow all validly signed drivers" specfies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location. The 'Trusted Publishers' certificate store can contain certificates from sources that are not related to print drivers.
e773867e5fdd ConfigureDriverValidationLevel Registry
Copy registry mappings
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevelPolicy notes
This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box. If you disable or do not configure this policy setting, the default method is "Allow all validly signed drivers". -- "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer. -- "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. -- "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). -- "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. -- "Allow all validly signed drivers" specfies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location. The 'Trusted Publishers' certificate store can contain certificates from sources that are not related to print drivers.