Technical Tip: Configuring printing on Windows

Overview:

• As noted in section 3.3 of the agent Deployment Guide, Content-Aware Printing requires agent version 10.4.0+; policy pack 6.6.0+; and printer driver v4. In addition, the following steps are required:
• Enable the feature.
• Enable content inspection (currently only supported for v4 printer drivers).
• Configure printer settings.
• Enable client-side rendering.
• Disable driver isolation.
• Note that steps 1 and 3 must be completed for any printing visibility, and step 2 for enabling content inspection. Content inspection is only supported on v4 printers, see V3 vs V4 printers for details on how to determine what version the print driver is.
• These steps are all outlined in this article, for both manual deployment (usually used in testing), or managed deployment via GPO.
• Enable the feature.
• As this is an agent configuration setting in the UI, this step is consistent whether dealing with manual or managed deployment.
• In the GUI, go to Settings -> Agent configuration and select the config to edit.
• Scroll until to get to the Printing section and enable Monitoring.

• Manual Deployment.
• Enable content inspection.
• Install XPS Viewer, which can either be done via GUI or PowerShell.

GUI method:

• Go under Start -> Settings -> System -> Optional features.
• Select View features in the Add an optional feature bar.
• Find XPS Viewer and tick the box, then select Next -> Install.

• PowerShell method.
• In an administrator PowerShell window, run the following command:

Add-WindowsCapability -Online -Name "XPS.Viewer~~~~0.0.1.0"

• Configure printer settings.
• Enable client-side rendering.
• This step needs to be completed if sharing a printer from a Windows device.
• On the device that is sharing the printer, go to Start -> Settings -> Bluetooth & devices -> Printers & scanners.
• Select the printer in question, then Printer properties -> Sharing and tick Render print jobs on client computers.

• Disable driver isolation.
• This step must be completed for the client computer; that is, the one that will be doing the printing. To configure this setting for all printers on many computers, then it may be more efficient to do so via GPO (see below).
• This can be done from the Print Management console.
• Go to Print Servers and select the server, then Drivers
• Find the required Drive Name, 'right-click', and select Set Driver Isolation -> None.

• Managed Deployment (via GPO).
• Go to Group Policy Management and create a new Group Policy Object in the domain.
• Configure the settings as detailed below, then ensure that this is pushed to all domain computers that to monitor printing for
• Enable content inspection.
• Go to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
• 'Double-click' on Startups and select PowerShell Scripts.
• Save the file xps-viewer-install.ps1 (attached at the bottom of this article), then select Browse and select this file, then select OK -> OK.

• Configure printer settings.
• Enable client-side rendering.
• Go to Computer Configuration -> Administrative Templates -> Printers.
• 'Right-click' Always render print jobs on the server and select Edit.
• Select Disabled and select 'OK'.

• Disable driver isolation.
• Go to Computer Configuration -> Administrative Templates -> Printers.
• 'Right-click' Execute print drivers in isolated processes and select Edit.
• Select Disabled and select 'OK'.

• Important: Monitoring unknown printers.
• If configuring these settings manually, it is only possible to change the rendering/driver isolation for specific drivers/print servers. Therefore, an individual sending a print job to an unknown printer (e.g. a home printer) may not trigger any policies and indeed not have any print visibility at all.
• This section outlines how to get print visibility and, optionally, policy detections for all printers.
• Print job visibility.
• If the printer settings are pushed via GPO (as detailed above), then these will apply to any printer/driver, including those added at a later date. This will ensure visibility on print jobs, regardless of the printer.

Note: 

As mentioned, content inspection is only possible for v4 printers, so if a user were to print to a v3 printer, no content inspection would occur and thus a policy detection would not be raised. To have a policy detection to be raised (rather than just a print event) for all printers/print jobs, then either need to configure an allowed list of printers (see Policy detections below) or configure a 'fallback' policy/policies that don't have any content inspection configured and will therefore raise a detection on any print job.

• Policy detections.
• In a relevant print policy (e.g. Document printed using a physical printer), it is possible to configure a list of allowed printer names or, for a more secure approach, allow printer unique identifiers. This will ensure that detection is raised on any network printer that has not been explicitly allowed, even on printers that do not have a UUID (e.g. USB-connected printers).

• V3 vs V4 printers.
• Whether or content inspection is possible is dependent on whether the print driver in question is v3 or v4. It is possible to find this out either via the GUI or a PowerShell command.

GUI method:

• This can be done from the Print Management console.
• Go to Print Servers and find the driver in question e.g. by going to Custom Filters -> All Drivers.
• 'Right-click' the driver and select Properties.
• The Version property will either contain Type 3 for a v3 driver or Type 4 for a v4 driver

• PowerShell method.
• Running the following command in an admin PowerShell terminal will return a list of all installed print drivers, where the MajorVersion column will tell whether the driver is v3 or v4.
• Get-PrinterDriver.
• Adding -Name <name> to the command to return the entry for a single print driver.