Overview:

As noted in the Print Monitoring section of the FortiDLP Agent Deployment Guide, Content-Aware Printing requires agent version 10.4.0+; policy pack 6.6.0+; and printer driver v4. In addition, the following steps are required:

1. Enable the feature.
2. Enable content inspection (currently only supported for v4 printer drivers).
3. Configure printer settings.
   1. Enable client-side rendering.
   2. Disable driver isolation.

• Note that steps 1 and 3 must be completed for any printing visibility, and step 2 for enabling content inspection on versions 11.4.6 or earlier. Content inspection is only supported on V4 printers, see V3 vs V4 printers below for details on how to determine what version the print driver is.

Enable the feature:

• As this is an agent configuration setting in the UI, this step is consistent whether dealing with manual or managed deployment.
• In the GUI, go to Admin Settings -> Agent configuration and select the config to edit.
• Scroll to the Printing section and enable Print Monitoring.

Enable content inspection:

• Install XPS Viewer, which can either be done via GUI or PowerShell.
• Note: this step is only necessary on agent version 11.4.6 or earlier. Later versions of the agent support content inspection (on V4 drivers) without the requirement for XPS Viewer.

GUI method:

• Go under Start -> Settings -> System -> Optional features.
• Select View features in the Add an optional feature bar.
• Find XPS Viewer and tick the box, then select Next -> Install.

PowerShell method:

• In an administrator PowerShell window, run the following command:

Add-WindowsCapability -Online -Name "XPS.Viewer~~~~0.0.1.0"

Enforce client-side rendering:

On the print server:

• On the device that is sharing the printer, go to Start -> Settings -> Bluetooth & devices -> Printers & scanners.
• Select the printer in question, then Printer properties -> Sharing and tick Render print jobs on client computers.

Additionally, ensure that the following registry keys are set, replacing <Printer Name> with the name of the printer:

On the client machine(s):

• Go to Group Policy Management and create a new Group Policy Object in the domain.
• Go to Computer Configuration -> Administrative Templates -> Printers.
• Right-click Always render print jobs on the server and select Edit.
• Select Disabled and select OK.

Disable driver isolation:

Manually:

• This step must be completed for the client computer, as well as the print server, if relevant.
• This can be done from the Print Management console.
• Find the required Driver, right-click, and select Set Driver Isolation -> None.

Managed Deployment (via GPO)

• To configure this setting for all printers on many computers, it may be more efficient to do so via GPO.
• Go to Group Policy Management and create a new Group Policy Object in the domain.
• Go to Computer Configuration -> Administrative Templates -> Printers.
• Right-click Execute print drivers in isolated processes and select Edit.
• Select Disabled and select OK.

Important: Monitoring unknown printers:

• If configuring these settings manually, it is only possible to change the rendering/driver isolation for specific drivers/print servers. Therefore, an individual sending a print job to an unknown printer (e.g. a home printer) may not trigger any policies and indeed not have any print visibility at all.
• This section outlines how to get print visibility and, optionally, policy detections for all printers.

Print job visibility:

• If the printer settings are pushed via GPO (as detailed above), then these will apply to any printer/driver, including those added at a later date. This will ensure visibility on print jobs, regardless of the printer.

Note: 

As mentioned, content inspection is only possible for v4 printers. So if a user were to print to a v3 printer, no content inspection would occur, and a policy detection would therefore not be raised. To have a policy detection be raised (rather than just a print event) for all printers/print jobs, it is either necessary to configure an allowed list of printers (see Policy detections below) or to configure a 'fallback' policy/policies that do not have any content inspection configured and will therefore raise a detection on any print job.

Policy detections.

• In a relevant print policy (e.g. Document printed using a physical printer), it is possible to configure a list of allowed printer names or, for a more secure approach, allow printer unique identifiers. This will ensure that detection is raised on any network printer that has not been explicitly allowed, even on printers that do not have a UUID (e.g. USB-connected printers).

V3 vs V4 printers.

• Whether or content inspection is possible is dependent on whether the print driver in question is v3 or v4. It is possible to find this out either via the GUI or a PowerShell command.

GUI method:

• This can be done from the Print Management console.
• Go to Print Servers and find the driver in question e.g. by going to Custom Filters -> All Drivers.
• Right-click the driver and select Properties.
• The Version property will either contain Type 3 for a v3 driver or Type 4 for a v4 driver.

PowerShell method:

• Running the following command in an admin PowerShell terminal will return a list of all installed print drivers, where the MajorVersion column will tell whether the driver is v3 or v4.

Get-PrinterDriver

• Adding -Name <name> to the command to return the entry for a single print driver.