Problem: Non-interactive installation of printer drivers from print servers fails on windows clients (Point and Print)

Problem:

Since MS16-087 the non-interactive installation of printer drivers from print servers on windows clients might fail if the printer driver does not match certain criteria (see also https://support.microsoft.com/en-us/help/3170005/ms16-087-security-update-for-windows-print-spooler-components-july-12). This is particularly a problem if printers are deployed via Group Policies.

Solution:

To restore the pre MS16-087 behavior the following steps are necessary:

  • Install the “security and quality rollup” from November 2016 or newer on the Windows clients
  • Configure Domain Group Policies to add print servers to the list of allowed printer servers
    1. Click Start, and then click Run.
    2. Type gpmc.msc, and then click OK.
    3. Open “Domains” → “[Your Domain]” → “Group Policy Objects”
    4. Select an appropriate existing policy (e. g., “Default Domain Policy”) or create a new domain policy
    5. Right click and Edit for the selected policy
    6. Expand “Computer Configuration” and go to “Policies” → “Administrative Templates”
    7. Click Printers.
    8. Double click “Point and Print Restrictions”, and then select the Enabled option.
    9. Under Options, select the “Users can only point and print to these servers” check box, and then type the fully qualified server names (FQDN) of all print servers in the text box, separated by semi-colons.
    10. Under “Security Prompts”, select “Do not show warning or elevation prompt” in both the “When installing drivers for a new connection” and “When updating drivers for an existing connection” lists.
    11. Click Apply, and then OK.
    12. In the “Printers” policy page, double-click “Package Point and Print - Approved servers.”
    13. Select the Enabled option.
    14. Under Options, click Show.
    15. Type one fully qualified server name in each row.
    16. Click OK.
    17. Click Apply, and then click OK.
    18. Push the policies to the domain clients, and then verify that these policies are in effect.

Note: After you enable these group policies, you have to add all printer servers to both the “Point and Print Restrictions” list and the “Package Point and Print - Approved server” list.

Mastodon