We came across a strange issue today on Windows 10 devices that we haven’t seen since the Windows Vista days. Users has started to get prompts for User Account Control(UAC) when connecting to some printers. The Point and Print feature is responible for this as it easily allow standard users to install printer drivers from trusted print server.
The problem appeared right after applying last July monthly updates. (MS16-087)
Windows 10 Point Print UAC Prompt Cause
Microsoft as tightened the requirement for printer drivers on print servers.
If you :
- Are using a print server
- Allow standard user to install printer drivers using the Point and Print Group Policy
- Are using old printer driver that might have the following :
- Non-package-aware v3 printer drivers
- Unsigned or expired certificate validation drivers
Following MS16-087 installation, you receive a UAC prompt and a Connect to Printer error after a printer installation attempt. (A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system Administaor)
Here’s the list of the specific KB per OS that create the issue :
- Windows 10
- Windows 10 v1511
- Windows Vista
- Windows 7
- Windows 8.1
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
How to fix it
Part 1 of the solution is available in the October 2016 Preview of Monthly Quality Rollup available for all operating system except Windows 10 (October 16th). Microsoft has released an update that lets network administrators configure policies that permit the installation of print drivers that they consider are safe. This update also allows network administrators to deploy printer connections that they consider safe.
This mean, if you are facing the issue, the official fix for it will be available for production use on the next Patch Tuesday (November 8th) as part of the Monthly Quality Rollup.
KB in preview
For Windows 7 and Windows Server 2008 R2 : https://support.microsoft.com/en-ca/kb/3192403
For Windows Server 2012 : https://support.microsoft.com/en-ca/kb/3192406
For Windows 8.1 and Windows Server 2012 R2 : https://support.microsoft.com/en-ca/kb/3192404
KB in production
For Windows 10 RTM : https://support.microsoft.com/en-ca/kb/3192440
For Windows 10 1511 : https://support.microsoft.com/en-ca/kb/3192441
Part 2 consist having the right GPO settings for Point and Print.
Two GPO settings must be applied :
- Under Computer Configuration / Policies / Administrative Templates / Printers, set Package Point and Print – Approved server to Enabled
- Each print server must be added to the list with the fully qualified server name
- Under Computer Configuration / Policies / Administrative Templates / Printers, set Point and Print Restrictions to Enabled
- Each print server must be added to the list with the fully qualified server name, seperated by semi-colons
- When installing driver for new connection, select Do not show warning or elevation prompt
- When installing driver for existing connection, select Do not show warning or elevation prompt