Windows Vista - Point & Print

Windows Vista - Point & Print

  • Comments 5
  • Likes

Here on the Perf team, we deal with quite a few printing issues.  An issue we've had a few calls on since the release of Windows Vista concerns the changes made to the Point & Print functionality.  Point & Print is a Windows feature that enables users to connect to a shared printer without the need to manually install the necessary printer driver software.  Point & Print automatically downloads and installs the required printer drivers when a user connects to a shared printer.  It also updates the printer driver on the client computer when the printer driver or the printer driver configuration is updated on the print server.

So - how is Point & Print different on Windows Vista?

Because Point & Print installs software on the client computer, Point & Print features are subject to the enhanced security model of Windows Vista.  New configuration settings were added to the Point & Print Restrictions group policy in Windows Vista.

Point & Print Security Best Practices

The Point & Print Restrictions Group policy can be edited using gpedit.msc.  The policies are located in User Configuration\Administrative Templates\Control Panel\Printers.   We're going to outline several different configuration scenarios.

clip_image004

Scenario 1: Using Deployed Printers

With Deployed Printers, only the printers defined for a user or group will be installed on the client computers that are managed by the group policy. This is considered the most secure practice because the client computers only have the printers installed that are defined in the Group Policy.  To configure Deployed Printers, use the Print Management Console (printmanagement.msc) to create the GPO and define the printers to deploy.

Configuration: Configure the GPO settings below.

  • After you configure the deployed printers, configure the Point and Print Restrictions group policy as follows:
  • Point and Print Restrictions: Enabled.
  • When installing drivers for a new connection: Do not show warning or elevation prompt.
  • When updating drivers for an existing connection: Show warning only.

User Experience: After you configure the deployed printers and the Point and Print Restrictions group policy, the deployed printers will automatically be installed on the client computer the next time the user logs on. The user will not see any warning messages when the printers are installed for the first time. However, if the printer configuration has been updated on the print server after the deployed printers have been installed on the client computer, the user will see a warning message that informs them that Point and Print must update the driver or configuration for the printer.

Scenario 2: Using the Default Security Settings

The default printer security settings of Window Vista provide a high degree of security and warn the user before software is installed on the client computer. The default security settings also restrict software installation to only users with administrator-level privileges.  Trustworthy printer drivers, such as those provided in-box or in printer driver packages, do not require the user to have administrator-level privileges to install them with the default security. In-box printer drivers are those printer drivers found on the Windows distribution media.

Configuration: No additional configuration is necessary.

User Experience: If a user connects to a shared printer and the required printer driver is not on their computer, or if the driver for an installed printer has been updated on the print server, Point and Print begins the installation process. First, the user sees a warning message similar to the image below.

clip_image006

After a user with administrator-level privileges clicks Install driver, a dialog box is displayed to prompt for permission to continue.

After a non-privileged user clicks Install Driver, the UAC dialog box is displayed. The user must be able to enter a password for an account that has administrator-level privileges in this dialog or the printer installation will fail.

clip_image008

 

Scenario 3: Using Point and Print on Specific Print Servers Only

The Point and Print Restrictions group policy enables you to limit the servers to which a user can Point and Print. You can configure specific print servers to use only printers with trustworthy printer drivers or printers that do not require printer drivers to be downloaded, such as printers that have in-box drivers.

Configuration: First, configure the print servers so that they share only printers that have trustworthy printer drivers or printers with drivers that do not need to be downloaded. These can be printers that have:

  • in-box printer drivers
  • printer drivers in driver packages
  • printer drivers you have tested and found to be trustworthy
  • printer drivers that are already installed on the client computers.

Then set the following options in the Group policy

  • Point and Print Restrictions: Enabled.
  • Users can only point and print to these servers: Checked.
  • Enter the fully qualified server names in the text box and separate each name with a semi-colon.
  • When installing drivers for a new connection: Do not show warning or elevation prompt.
  • When updating drivers for an existing connection: Do not show warning or elevation prompt.

User Experience: When a user connects to a printer that is shared on a print server listed in the Point and Print Restrictions group policy, Point and Print installs the necessary printer drivers and does not require any additional user interaction. If the user connects to a shared printer on any other print server, Point and Print will not download a printer driver to the client computer. The user may still be able to use the printer but only if they do not need to download the printer driver.

Scenario 4: Use Printers with In-Box Drivers Only

Printers with in-box printer drivers can be installed without downloading any software from the print server. If all printers hosted by your print servers have in-box printer drivers, users will not see any warning dialog boxes when they connect to a shared printer.

Configuration: Verify that all shared printers have in-box drivers for the versions of Windows that are installed on the client computers in your enterprise.

User Experience: When the user connects to a shared printer that has an in-box printer driver, the printer driver will be installed by using software that is available on the client computer. Point and Print will not download any software and the user will not see any warning dialog boxes.

Scenario 5: Use Windows XP-Level Security

You can use the Point and Print Restrictions group policy to provide a client computer with the same level of Point and Print security on Windows Vista as it had with Windows XP.

Configuration: Configure the Point and Print Restrictions Properties group policy and set:

  • Point and Print Restrictions: Enabled.
  • When installing drivers for a new connection: Do not show warning or elevation prompt.
  • When updating drivers for an existing connection: Do not show warning or elevation prompt.

User Experience: Users will not see any additional warning messages when they connect to a shared printer and Point and Print installs a new printer driver or when Point and Print updates the printer driver for an existing connection.

Scenario 6: Use Printers with Printer Driver Packages

Windows Vista introduces printer driver packages. A printer driver package is a signed group of files that make up a printer driver. Printer driver packages are secure and they can be installed by users who do not have administrator-level privileges.

Configuration: Confirm that the shared printers on your print servers have a printer driver package (the printer driver packages should be supplied by the printer manufacturer). Note that only computers running Windows Vista can use printer driver packages. Computers that are running earlier versions of Windows and share printers cannot use printer driver packages.

User Experience: Because printer driver packages are secure, they are downloaded and installed without presenting any warning messages to the user.

OK - that's it for this post.  Hopefully this helps to clear up some of the confusion concerning Point & Print on Windows Vista.  Until next time ...

Additional Resources:

 - CC Hameed

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://www.ditii.com/blog/2007/06/01/windows-vista-point-print/

  • I can print to the Dell Wireless printer through XP but vista stopped printing and will not print through wireless, USB or network. Any Ideas ?

  • wnen i give the print print goes but there shows one document is oending how to solv this problem pls any idea

  • How about rpinting to a printer connected to a vista computer from a XP computer? I got some working but others dont even see the vista computer.

  • How do I install n printer driver on Windows Vista wthout the Drier CD