The notorious "Do you trust this printer" prompt stems from Microsoft's security update KB3170455 (MS16-087) which modified Point and Print behavior to prevent driver spoofing attacks. This fundamentally changed how Windows 7/Server 2012 R2 environments handle printer driver installations.
Here's the definitive configuration that worked in our production environment:
# Group Policy Objects needed:
1. Computer Configuration > Policies > Administrative Templates > Printers
- Point and Print Restrictions: Enabled
- Security Prompts: "Do not show warning or elevation prompt"
- Trusted Servers: "\\yourprintserver.domain.com"
- Users can only point and print to these servers: Enabled
2. Registry tweak for stubborn cases (create via GPO Preferences):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:00000002
For cases where pure GPO fails, this PowerShell script can run as a startup script:
# PrinterInstall.ps1
$printerPath = "\\printserver\printerShare"
$driverName = "HP Universal Printing PCL 6"
try {
Add-PrinterDriver -Name $driverName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $printerPath -ErrorAction Stop
# Verify installation
if (Get-Printer -Name $printerPath -ErrorAction SilentlyContinue) {
Write-Output "Printer installed successfully"
Exit 0
}
} catch {
# Fallback to rundll32 for legacy systems
Start-Process -FilePath "rundll32" -ArgumentList "printui.dll,PrintUIEntry /ga /n$printerPath" -Wait
Restart-Service -Name Spooler -Force
Exit 0
}
- Verify Print Server role is installed with proper drivers
- Check DNS resolution of print server hostname
- Test with procmon to identify permission issues
- Clear existing printer connections from registry before redeploying
- Ensure GPO is applying (gpresult /h gpreport.html)
While bypassing prompts increases usability, consider these security measures:
- Digitally sign all printer drivers
- Restrict printer deployment to specific IP ranges
- Implement Network Access Protection (NAP) for print clients
- Regularly audit print server for unauthorized drivers
Since KB5005565 (September 2021 Patch Tuesday), Windows implements stricter Point and Print restrictions by default. This affects both manual installations and GPO-based deployments when:
- Print server and client OS versions differ (Server 2012 R2 → Win7)
- Driver packages aren't properly signed
- Non-administrative users attempt installation
For environments mixing Server 2012 R2 and Windows 7, these registry tweaks are essential:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:00000000
When GPO fails, this script handles silent installation:
# PrinterInstall.ps1
$PrinterPath = "\\PrintServer\AccountingPrinter"
$DriverName = "HP Universal Printing PCL 6"
$PortName = "IP_192.168.1.100"
# Create TCP/IP port
Add-PrinterPort -Name $PortName -PrinterHostAddress "192.168.1.100"
# Install driver (admin rights required)
pnputil.exe -i -a "\\PrintServer\Drivers\HP\UPD\hpcu118u.inf"
# Add printer
Add-Printer -Name "Accounting Printer" -DriverName $DriverName -PortName $PortName -Shared $false
Check these critical points when troubleshooting:
- Run
gpresult /h gpreport.htmlto verify GPO application - Inspect
Event Viewer → Applications and Services Logs → Microsoft → Windows → PrintService - Test with Process Monitor filtering for
spoolsv.exeandrundll32.exe
For reliable large-scale deployments:
- Package drivers using
DISM /Add-Driverin your deployment image - Pre-stage printer connections via registry before user logon
- Consider using
PrintBRMfor printer migration scenarios