In modern enterprise IT environments, managing endpoint print infrastructure isn’t just about convenience—it’s about control, compliance, and cost. While Universal Print offers a scalable cloud-native solution to print management, the reality is that outdated or misconfigured policies can become a major operational burden.
Here's a comprehensive, real-world playbook on how to remove Universal Print policies in Microsoft Intune—complete with scripting options, troubleshooting paths, and insights on optimizing your print deployment model.
Skip Ahead to Section
Here's a comprehensive, real-world playbook on how to remove Universal Print policies in Microsoft Intune—complete with scripting options, troubleshooting paths, and insights on optimizing your print deployment model.
Before we can responsibly remove printer policies, we must first understand how they're built, deployed, and enforced via Microsoft Intune. Here's how Universal Print works and how it integrates with Intune’s mobile device management (MDM) engine.
Universal Print replaces traditional on-prem print servers with cloud-hosted print queues and printer management via Azure. Rather than mapping printers through GPOs or local scripts, printers are registered as Azure AD resources and provisioned to users or devices through the Universal Print connector or native support on newer models.
Think of it as a cloud-native print spooler that offloads driver management and queue visibility to Microsoft 365, integrated tightly with your AAD identity stack.
Microsoft Intune acts as the delivery engine for Universal Print settings. Through configuration profiles, Intune pushes printer mappings and policy controls (such as default printer settings, duplex preferences, and printer availability) to endpoints based on group assignments or dynamic rule sets.
These profiles are built using either:
Administrative Templates for structured settings.
Custom OMA-URI profiles for granular control via CSP (Configuration Service Providers).
When it's time to retire or reconfigure, understanding this delivery model is key to a clean policy teardown.
There’s rarely a “just because” reason to remove a printer policy. This section covers common scenarios where printer policy removal isn’t just maintenance—it's a strategic action that impacts performance, user experience, and security posture.
Your organization may be cycling out legacy printers or transitioning to newer models with native Universal Print support. Old policies targeting decommissioned devices can result in:
Persistent but broken mappings.
Driver conflicts.
End-user confusion during printer selection.
Cleaning up these policies ensures endpoints aren't querying or mapping printers that no longer exist.
As environments evolve, printer policies may have been created ad hoc across departments or business units. Over time, this results in:
Overlapping assignments across dynamic groups.
Conflicting settings applied via multiple profiles.
Debugging nightmares when troubleshooting print issues.
Removing or consolidating old policies improves policy hygiene and reduces admin overhead.
Stale printer profiles can expose endpoints to security risks:
Unencrypted print paths or SMB dependencies.
Exposed Universal Print connectors still linked to Azure AD.
Printers mapped to decommissioned subnets with no oversight.
Regular auditing and removal of such policies reduces attack surface and aligns with Zero Trust principles.
Now let’s get tactical. Let's review both manual and automated methods for removing Universal Print policies from the Intune management plane—complete with best practices and gotchas.
This is the simplest method if you’re managing a smaller environment or want to verify settings interactively.
Login to https://endpoint.microsoft.com using a role with adequate RBAC permissions (e.g., Intune Admin).
Navigate to Devices > Configuration Profiles.
Filter by platform (e.g., “Windows 10 and later”) and locate the policy by name or tag.
Open the policy and select Delete.
Confirm deletion in the pop-up dialogue box.
Tip: Unassign the policy from all groups before deleting to avoid assignment replication delays.
In larger or more automated environments, PowerShell + Microsoft Graph provides a repeatable way to manage policy state across tenants or environments.
Install the Microsoft.Graph.Intune module.
Authenticate with permissions for DeviceManagementConfiguration.ReadWrite.All.
Connect-MSGraph
$policy = Get-IntuneConfigurationPolicy | Where-Object {
$_.displayName -eq "Universal Print Policy"
}
if ($policy) {
Remove-IntuneConfigurationPolicy -PolicyId $policy.id
Write-Output "Policy successfully removed."
} else {
Write-Output "Policy not found."
}
Add logging, environment detection, and version control for enterprise-ready use.
Removing the policy from Intune is only half the job. You also need to validate that client devices reflect this change and that no ghost configurations persist.
Ensure endpoints receive updated configuration:
Use Company Portal > “Sync”
Or via PowerShell:
Start-DeviceSync
Check the following:
Go to Devices > [Device] > Managed Policies in Intune.
Confirm the Universal Print policy is no longer listed.
Manually inspect HKCU:\Printers and spooler queues for residue.
Prompt impacted users to verify:
Printers are removed from Windows Settings > Printers & Scanners.
No “ghost” printers remain in apps like Word or Outlook.
No removal is complete without dealing with edge cases. Here’s how to address common blockers and edge scenarios when policies refuse to go quietly.
Check RBAC role and permissions (especially with scope tags).
Ensure no active group assignments remain.
Refresh the Endpoint Manager portal—UI lag is a known issue.
Reboot and re-sync devices.
Use Event Viewer > DeviceManagement-Enterprise-Diagnostics-Provider to examine CSP responses.
Use MDMDiagReport.html to inspect local policy states.
Large, distributed orgs might see delays due to:
Policy replication latency.
Azure AD dynamic group re-evaluation delays.
Dormant device sync cycles.
Mitigation: Consider using proactive remediation scripts in Endpoint Analytics to force printer object cleanup.
Removing the printer policy doesn’t always remove its shadow. You’ll want to ensure any connectors, AD objects, or app permissions associated with the old print config are cleaned up.
Delete unused Universal Print connectors from Azure.
Audit Enterprise Applications for leftover API permissions.
Remove stale Azure AD printer objects via Graph API or Azure Portal.
Review Conditional Access policies for unintentional allow paths.
Removing outdated policies is a good cleanup practice—but also a chance to rebuild smarter. These alternatives offer more control, visibility, and compatibility with modern hybrid work environments.
OEM Apps (e.g., HP, Canon, Epson) deployed via Win32 app packages.
Third-party platforms like Papercut MF/NG and/or Tricerat's Universal Print Driver for enterprise print management.
Scripting printer installations via Add-Printer, PrintBRM, or using Autopilot ESP with custom remediation scripts.
Removing a Universal Print policy in Intune is not just about clearing a config. It’s a step in building a repeatable, secure, and manageable endpoint ecosystem. Whether you’re shifting away from cloud print altogether or just modernizing your fleet, proper cleanup helps reduce friction, improve user experience, and keep your configuration management lean and secure.
Use automation where possible, document every removal action, and always tie configuration state to your broader device compliance and lifecycle management processes.
Tricerat's solution simplifies printer driver management on cloud desktops with its ScrewDrivers® virtual driver, eliminating the need for copying or pre-loading drivers. Installation is straightforward, allowing easy printer assignment to users, groups, devices, or locations without CSV files, scripts, or GPOs.
The ScrewDrivers client seamlessly integrates local client printers into the cloud desktop session, enabling users to access their local printers effortlessly without requiring any admin intervention.