I'm trying to deploy printers via Group Policy. Posts around the internet suggest using the Group Policy Preferences approach (User/Preferences/Control Panel Settings/Printers) is the preferred method.
However, the printer is failing to deploy, and the following error appears in the event viewer:
The user 'Epson Printer' preference item in the 'Group Policy Object {GUID}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.
Various sources around the internet, including Microsoft Technet, suggest that the Point and Print Restrictions GPO policy needs to be modified in order for the drivers to be allowed to install without prompt.
This policy exists in both the User Configuration tree under User/Policies/Administrative Templates/Control Panel/Printers; and the Computer Configuration tree under Computer/Policies/Administrative Templates/Printers.
I have tried two approaches:
- Setting both User and Computer Point and Print Restrictions policy to Disabled.
- Setting both User and Computer Point and Print Restrictions policy to the configuration described in the above Technet article (screen capture of policy)
After each attempt, I performed a full directory replication, and on the test computer executed gpupdate /force from both an elevated admin and normal user command prompt, rebooted, then executed gpresult /H result.html to validate the settings have been applied.
However, I am still getting the above error in the event viewer and the printer is not installing.
If I manually add the printer with Add Printer in the control panel, the driver installs fine. Additionally if I use the "traditional" approach of deploying printer connections via Computer/Windows Settings/Deployed Printers, the printer driver and printer appear to install fine, but then I can't use some of the newer features supported by the GPP approach.
The Domain Controller is Windows Server 2012 R2 and the clients are Windows 10 Enterprise. All computers are up to date with the latest patches.
This is being caused by KB3170455 - which patches this: https://technet.microsoft.com/library/security/MS16-087
It prevents point and print drivers from being installed without a warning box, unless they are packaged, signed drivers. Unfortunately a lot of printer companies do not release packaged drivers.
So far I have not found any way to get the printers to automatically install. Changing point and print settings doesn't fix it. Removing the update does fix it, but leaves a security hole.
As Grant said, the issue is caused by security update KB3170455 and the exact fix is as he mentioned. However, there is a registry edit (really a hack) that may help in some situations. It involves editing the registry on the print server and incrementing the "PrinterDriverAttributes" value by one for any driver that shows as not being a packaged driver. You will still need to make sure all appropriate Group Policy settings are in place, particularly the
Point and Print Restrictions
andPackage Point and print - Approved Servers
settings.To avoid posting a duplicate answer, please see my answer on the other question here: Registry edit for printer drivers