So - how is Point & Print different on Windows Vista?
Because Point & Print installs software on the client computer, Point & Print features are subject to the enhanced security model of Windows Vista. New configuration settings were added to the Point & Print Restrictions group policy in Windows Vista.
Point & Print Security Best Practices
The Point & Print Restrictions Group policy can be edited using gpedit.msc. The policies are located in User Configuration\Administrative Templates\Control Panel\Printers. We're going to outline several different configuration scenarios.
Scenario 1: Using Deployed Printers
With Deployed Printers, only the printers defined for a user or group will be installed on the client computers that are managed by the group policy. This is considered the most secure practice because the client computers only have the printers installed that are defined in the Group Policy. To configure Deployed Printers, use the Print Management Console (printmanagement.msc) to create the GPO and define the printers to deploy.
Configuration : Configure the GPO settings below.
User Experience: After you configure the deployed printers and the Point and Print Restrictions group policy, the deployed printers will automatically be installed on the client computer the next time the user logs on. The user will not see any warning messages when the printers are installed for the first time. However, if the printer configuration has been updated on the print server after the deployed printers have been installed on the client computer, the user will see a warning message that informs them that Point and Print must update the driver or configuration for the printer.
Scenario 2: Using the Default Security Settings
The default printer security settings of Window Vista provide a high degree of security and warn the user before software is installed on the client computer. The default security settings also restrict software installation to only users with administrator-level privileges. Trustworthy printer drivers, such as those provided in-box or in printer driver packages, do not require the user to have administrator-level privileges to install them with the default security. In-box printer drivers are those printer drivers found on the Windows distribution media.
Configuration: No additional configuration is necessary.
User Experience: If a user connects to a shared printer and the required printer driver is not on their computer, or if the driver for an installed printer has been updated on the print server, Point and Print begins the installation process. First, the user sees a warning message similar to the image below.
After a user with administrator-level privileges clicks Install driver, a dialog box is displayed to prompt for permission to continue.
After a non-privileged user clicks Install Driver, the UAC dialog box is displayed. The user must be able to enter a password for an account that has administrator-level privileges in this dialog or the printer installation will fail.
Scenario 3: Using Point and Print on Specific Print Servers Only
The Point and Print Restrictions group policy enables you to limit the servers to which a user can Point and Print. You can configure specific print servers to use only printers with trustworthy printer drivers or printers that do not require printer drivers to be downloaded, such as printers that have in-box drivers.
Configuration: First, configure the print servers so that they share only printers that have trustworthy printer drivers or printers with drivers that do not need to be downloaded. These can be printers that have:
Then set the following options in the Group policy
User Experience: When a user connects to a printer that is shared on a print server listed in the Point and Print Restrictions group policy, Point and Print installs the necessary printer drivers and does not require any additional user interaction. If the user connects to a shared printer on any other print server, Point and Print will not download a printer driver to the client computer. The user may still be able to use the printer but only if they do not need to download the printer driver.
Scenario 4: Use Printers with In-Box Drivers Only
Printers with in-box printer drivers can be installed without downloading any software from the print server. If all printers hosted by your print servers have in-box printer drivers, users will not see any warning dialog boxes when they connect to a shared printer.
Configuration: Verify that all shared printers have in-box drivers for the versions of Windows that are installed on the client computers in your enterprise.
User Experience: When the user connects to a shared printer that has an in-box printer driver, the printer driver will be installed by using software that is available on the client computer. Point and Print will not download any software and the user will not see any warning dialog boxes.
Scenario 5: Use Windows XP-Level Security
You can use the Point and Print Restrictions group policy to provide a client computer with the same level of Point and Print security on Windows Vista as it had with Windows XP.
Configuration: Configure the Point and Print Restrictions Properties group policy and set:
User Experience: Users will not see any additional warning messages when they connect to a shared printer and Point and Print installs a new printer driver or when Point and Print updates the printer driver for an existing connection.
Scenario 6: Use Printers with Printer Driver Packages
Windows Vista introduces printer driver packages. A printer driver package is a signed group of files that make up a printer driver. Printer driver packages are secure and they can be installed by users who do not have administrator-level privileges.
Configuration: Confirm that the shared printers on your print servers have a printer driver package (the printer driver packages should be supplied by the printer manufacturer). Note that only computers running Windows Vista can use printer driver packages. Computers that are running earlier versions of Windows and share printers cannot use printer driver packages.
User Experience: Because printer driver packages are secure, they are downloaded and installed without presenting any warning messages to the user.
OK - that's it for this post. Hopefully this helps to clear up some of the confusion concerning Point & Print on Windows Vista. Until next time ...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.