MicrosoftNateL1010 : About the print spooler, I used the registry key documented in this Microsoft blogpost: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/a-print-nightmare-artifact-krbtgt-nt-authority/ba-p/3757962 (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC\RpcNamedPipeAuthentication = 0x2 (DWORD)) starting around May of 2023, and that stopped the spooler NTLM usage after the computers were restarted. The blogpost specifically states "Setting RpcNamedPipeAuthentication to 0x2 does not lead to a security vulnerability." I have NTLM outgoing set to "Deny All" on most clients/servers now, and printing still works (and doesn't show up in NTLM logs).
I did not set RpcAuthnLevelPrivacyEnabled=0, since that reopens https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25
