Olivier BILHAUT
2016-Sep-12 08:31 UTC
[Samba] Point-and-Print driver installation asks for confirmation on current Windows
Hi all. I have read carefully all your posts and I am glad to see that some of you workaround this new MS surprise... To solve the problem, I understand that : * if you use the "AD way of deploying printers", the workaround is to use the "Computer ConfigurationPoliciesAdministrative TemplatesPrintersOverride Print Driver Compatibility Execution Setting Reported By Print Driver" * You can change the printers drivers for new drivers which handle "driver isolation" (or change the .inf by yourself) * On windows 7 sp1, you can also remove the KB3170435, we actually work on a script to do that if required But when you are on this situation : * Using a home-made script for deploying printer connections (not the administrative templates) * Using old drivers who do NOT and would NEVER handle "driver isolation" * Changing the .inf of all the drivers is NOT an option (constructors have not yet released such officials drivers) We cannot find any solution for this situation except removing the KB itself. Note that the "point-and-print" GPO option (Computer/User) do not solve the problem, even using the FQDN name of the printer server. Particulary for the UPDATE of the printer driver. We always get the security prompt, forever ! If some of them are in the same situation and manage to find a workaround, I pay a beer :) For now, we are about to remove the KB using a script. Cheers and thanks to all ! -- OB
L.P.H. van Belle
2016-Sep-15 08:42 UTC
[Samba] Point-and-Print driver installation asks for confirmation on current Windows
>> change the .inf by yourselfWhen you do that, you get the message that the driver isnt signed. Ow.. And.. wait .. i'll get that beer.. ;-) ( at least working on it. ) Only tested it while entering the link : \\server.domain.tld\printershare Still testing the deployment, but im buzy also with lots of other things. So go testing is slow here.. please do test and report back here. At least i can install the printer driver as user again. Try the following. Goto the policy.: Computer Configuration, Administrative Templates, System, and then Driver Installation. Enable it, Klik below on Show. Add this GUID: {4d36e979-e325-11ce-bfc1-08002be10318} ( GUID found here : https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx ) Reboot you computer 2x ! ( first to apply the setting, second to make use of it. ) Not the best solution in my optionion but the best i could find out for now. We need better drivers from the printer suppliers, thats the only good fix. Greetz. Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Olivier BILHAUT> via samba> Verzonden: maandag 12 september 2016 10:14> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Point-and-Print driver installation asks for> confirmation on current Windows>>>> Hi all.>> I have read carefully all your posts and I am glad to see> that some of you workaround this new MS surprise...>> To solve the> problem, I understand that :>> * if you use the "AD way of deploying> printers", the workaround is to use the "Computer> ConfigurationPoliciesAdministrative TemplatesPrintersOverride Print> Driver Compatibility Execution Setting Reported By Print Driver"> * You> can change the printers drivers for new drivers which handle "driver> isolation" (or change the .inf by yourself)> * On windows 7 sp1, you> can also remove the KB3170435, we actually work on a script to do that> if required>> But when you are on this situation :>> * Using a> home-made script for deploying printer connections (not the> administrative templates)> * Using old drivers who do NOT and would> NEVER handle "driver isolation"> * Changing the .inf of all the drivers> is NOT an option (constructors have not yet released such officials> drivers)>> We cannot find any solution for this situation except removing> the KB itself.>> Note that the "point-and-print" GPO option> (Computer/User) do not solve the problem, even using the FQDN name of> the printer server. Particulary for the UPDATE of the printer driver. We> always get the security prompt, forever !>> If some of them are in the> same situation and manage to find a workaround, I pay a beer :)>> For> now, we are about to remove the KB using a script.>> Cheers and thanks> to all !> -->> OB> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-Sep-15 09:49 UTC
[Samba] Point-and-Print driver installation asks for confirmation on current Windows
I’ll share what i know for now and what works for me. Most people wil see in there windows even log : The user 'Printer Name Here' preference item in the 'Group Policy Object ... error code '0x80070bcb The specified printer driver was not found on the system Event ID 4098. For now i have set the following GPO setting. Computer Configuration\Policies\Administrative Templates\Printers - Point and Print restriction – Enabled - Users can only send point and print jobs to these server – Enable - These servers : printserver.internal.domain.tld;printserver;printserver2.domain.tld;printeserver2 - New driver for connection : dont show a warning and an elevated command - Update driver for connection : dont show a warning and an elevated command - Always Render Print Jobs On The Server – Disabled The above set, applies for computer applies to win7 and above, if you have xp/vista still running set also the same in : User Configuration\Policies\Administrative Templates\Controlpanel\Printers - Point and Print restriction – Enabled - Users can only send point and print jobs to these server – Enable - These servers : printserver.internal.domain.tld;printserver;printserver2.domain.tld;printserver2 - New driver for connection : dont show a warning and an elevated command - Update driver for connection : dont show a warning and an elevated command - Always Render Print Jobs On The Server – Disabled Computer Configuration\Policies\Administrative Templates\System\Driver Installation\ - Allow non-administrators to install drivers for these device setup classes - Enabled Klik below on Show and add : {4d36e979-e325-11ce-bfc1-08002be10318} ( other GUID’s found here : https://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx ) But be carefull you opening a security hole. So do set the servers - Search for devicedrivers in windows update – Disabled ( but this is because i dont use windows integrated printer drivers ) Test with this one what works for you. Its not installing itself for now, but if you klik on a link \\server.internal.domain.tld\printershare Which have the needed driver, it will install the driver on the lokal pc. Once this is done, and only needed 1 time, the GPO works again as normal. So i emailed a link to my users to update the driver, waited for a policy refresh and im good to go. Other info/tips. - Dont use unsigned drivers. ( modifing an .inf removes the signing. ) - Make sure you use the latest driver from the printer supplier. I’m testing for example with HP universal 6.0.0 and 6.2.1 . ( 6.0.0 was on all my pc’s already by image, updating to 6.2.1 ) 2 tests, clean pc, without drivers and test with one as imaged. The HP park tools have admx templates to managing the driver settings, use that. If possible use package-aware drivers. Search in the .INF for lines like : PackageAware=TRUE Some info: - DriverIsolation : https://msdn.microsoft.com/en-us/library/windows/hardware/ff560836(v=vs.85).aspx - Packaged Driver : https://msdn.microsoft.com/en-us/library/windows/hardware/ff561043(v=vs.85).aspx ‘ - ( new polices for win10 1607 found here: https://www.microsoft.com/en-us/download/details.aspx?id=53430 Win7 users, install this on a pc. The set is found here after install : C:\Program Files (x86)\Microsoft Group Policy\Windows 10 and Windows Server 2016 ( Not all languages are support so check first before you update. ) And ALWAYS backup you sysvol : PolicyDefinitions folder before you update. win7 users : also look at : https://support.microsoft.com/nl-nl/kb/3179573>> https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-historyAnd an other workaround. Make and installer packages that installs the printer drivers localy on the PC. If you modify and driver like with the PARK tools from HP, you loose the driver signing. ! Setup the same driver in the point and print setup and Connect. If the driver is already on the pc, connecting the the printer share should work as normal. Update-ing a driver fails since the driver isnt already on the pc. Greetz, Louis
L.P.H. van Belle
2016-Sep-16 11:40 UTC
[Samba] Point-and-Print driver installation asks for confirmation on current Windows
Hai Mario, Ah ok, classic domain controller. I havent tried it on a classic domain controller. Why no AD DC, gives you much more options with group policiy settings. Really much more flexability, but thats a choice.> Printers are connected via login script. Users are asked for > confirmation to install a driver. > Can I get around this confirmation so that no user ever needs to confirm > and the driver gets installed? >For now yes, users must confirm once. If you want to avoid that, you can try it with AutoIt. https://deployhappiness.com/automating-installs-with-autoit/ or and advanced script https://www.autoitscript.com/forum/topic/133588-the-vollatran-project-application-installer-tool/ or https://deployhappiness.com/automating-hardware-driver-installation-on-windows-7-and-above/ more examples google for it, there are more.> Once the driver is installed on the computer, should it work without > confirmation for other users of the computer or when the printer > connection is removed and re-added?Yes, once the driver is on the pc, its user independend and every other printer connects without confirmation when using the same driver. Thats also why i use a "Universal" driver, i only install 2 drivers for about 15 printers. ( hp and Xerox ) And a tip. When u use universal drivers, for example the HP. Setup the driver as : "HP Universal Printing PCL 6 (v6.2.1)" and not as "HP Universal Printing PCL 6" keeps is more easy to manage upgrade without messing up things. ;-) Hope this help out a bit. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Mario Lipinski [mailto:mario.lipinski at iserv.eu] > Verzonden: vrijdag 16 september 2016 12:16 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Point-and-Print driver installation asks for > confirmation on current Windows > > Hi Louis and list, > > thank you for following up on this! > For now, I did not find the time to dig into this deeper. > > First, I do not have AD, but a classic domain controller. However, I > have a working solution for deploying policies. > > Printers are connected via login script. Users are asked for > confirmation to install a driver. > > Can I get around this confirmation so that no user ever needs to confirm > and the driver gets installed? > > Once the driver is installed on the computer, should it work without > confirmation for other users of the computer or when the printer > connection is removed and re-added? > > To proceed on this issue we want to find answers to these two questions > and then find a way to get rid of these confirmations at all. > > Mario > > -- > Mit freundlichen Grüßen, > Mario Lipinski > > IServ GmbH > Bültenweg 73 > 38106 Braunschweig > > Telefon: 0531-2243666-0 > Fax: 0531-2243666-9 > E-Mail: info at iserv.eu > Internet: iserv.eu > > USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822 > Geschäftsführer: Benjamin Heindl, Jörg Ludwig > > On 15.09.2016 11:49, L.P.H. van Belle via samba wrote: > > I?ll share what i know for now and what works for me. > > > > > > > > Most people wil see in there windows even log : > > > > The user 'Printer Name Here' preference item in the 'Group Policy Object > ... error code '0x80070bcb The specified printer driver was not found on > the system > > > > Event ID 4098. > > > > > > > > > > > > For now i have set the following GPO setting. > > > > > > > > Computer Configuration\Policies\Administrative Templates\Printers > > > > - Point and Print restriction ? Enabled > > > > - Users can only send point and print jobs to these server ? > Enable > > > > - These servers : > printserver.internal.domain.tld;printserver;printserver2.domain.tld;printe > server2 > > > > - New driver for connection : dont show a warning and an elevated > command > > > > - Update driver for connection : dont show a warning and an > elevated command > > > > - Always Render Print Jobs On The Server ? Disabled > > > > > > > > The above set, applies for computer applies to win7 and above, if you > have xp/vista still running set also the same in : > > > > > > > > User Configuration\Policies\Administrative > Templates\Controlpanel\Printers > > > > - Point and Print restriction ? Enabled > > > > - Users can only send point and print jobs to these server ? > Enable > > > > - These servers : > printserver.internal.domain.tld;printserver;printserver2.domain.tld;prints > erver2 > > > > - New driver for connection : dont show a warning and an elevated > command > > > > - Update driver for connection : dont show a warning and an > elevated command > > > > - Always Render Print Jobs On The Server ? Disabled > > > > > > > > Computer Configuration\Policies\Administrative Templates\System\Driver > Installation\ > > > > - Allow non-administrators to install drivers for these device setup > classes - Enabled > > > > Klik below on Show and add : {4d36e979-e325-11ce-bfc1-08002be10318} > > > > ( other GUID?s found here : https://msdn.microsoft.com/en- > us/library/windows/hardware/ff553426(v=vs.85).aspx ) > > > > But be carefull you opening a security hole. So do set the > servers > > > > - Search for devicedrivers in windows update ? Disabled ( but this is > because i dont use windows integrated printer drivers ) > > > > Test with this one what works for you. > > > > > > > > Its not installing itself for now, but if you klik on a link > \\server.internal.domain.tld\printershare > > > > Which have the needed driver, it will install the driver on the lokal > pc. > > > > Once this is done, and only needed 1 time, the GPO works again as > normal. > > > > So i emailed a link to my users to update the driver, waited for a > policy refresh and im good to go. > > > > > > > > > > > > Other info/tips. > > > > > > > > - Dont use unsigned drivers. ( modifing an .inf removes the signing. ) > > > > - Make sure you use the latest driver from the printer supplier. > > > > I?m testing for example with HP universal 6.0.0 and 6.2.1 . ( 6.0.0 was > on all my pc?s already by image, updating to 6.2.1 ) > > > > 2 tests, clean pc, without drivers and test with one as imaged. > > > > The HP park tools have admx templates to managing the driver settings, > use that. > > > > If possible use package-aware drivers. Search in the .INF for lines like > : PackageAware=TRUE > > > > > > > > > > > > > > > > Some info: > > > > - DriverIsolation : https://msdn.microsoft.com/en- > us/library/windows/hardware/ff560836(v=vs.85).aspx > > > > - Packaged Driver : https://msdn.microsoft.com/en- > us/library/windows/hardware/ff561043(v=vs.85).aspx ? > > > > - ( new polices for win10 1607 found here: https://www.microsoft.com/en- > us/download/details.aspx?id=53430 > > > > Win7 users, install this on a pc. > > > > The set is found here after install : C:\Program Files (x86)\Microsoft > Group Policy\Windows 10 and Windows Server 2016 > > > > ( Not all languages are support so check first before you update. ) > > > > And ALWAYS backup you sysvol : PolicyDefinitions folder before you > update. > > > > > > > > win7 users : also look at : https://support.microsoft.com/nl- > nl/kb/3179573 > > > >>> https://support.microsoft.com/en-us/help/22801/windows-7-and-windows- > server-2008-r2-update-history > > > > > > > > > > > > > > > > And an other workaround. > > > > Make and installer packages that installs the printer drivers localy on > the PC. > > > > If you modify and driver like with the PARK tools from HP, you loose the > driver signing. ! > > > > Setup the same driver in the point and print setup and Connect. > > > > If the driver is already on the pc, connecting the the printer share > should work as normal. > > > > Update-ing a driver fails since the driver isnt already on the pc. > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > >
Seemingly Similar Threads
- Point-and-Print driver installation asks for confirmation on current Windows
- Point-and-Print driver installation asks for confirmation on current Windows
- FW: Point-and-Print driver installation asks for confirmation on current Windows
- secret.tdb copied from server to server
- Possible Security Hole (Bug?)