Is there a way to prevent drivers (even signed ones) from getting installed? I have a PS4 Farm on Windows 2003. I use the "Compatibility Lists" but I'm just curious if that's the only way. After-all the Compatibility list doesn't prevent the driver from getting installed. I use the UPD for just about everything. I still see drivers like "HP LaserJet 4" that come with the O/S come back after deleting them.
Thanks in advance...
Hi,
There are a few drivers that you need to keep around (all related to the Citrix UPD):
HP Color LaserJet 4500 (Citrix UPD - PCL5c)HP Color LaserJet PS (Citrix UPD - PS)HP LaserJet Series II (Citrix UPD - PCL4)
If you want to use the UPD exclusively, you need to configure the following settings in a Citrix policy:
- Under Printing -> Drivers -> Universal driver: enable "Use universal driver only"
- Under Printing -> Drivers -> Native printer driver auto-install: enable "Do not automatically install drivers"
Provided you apply the policy to all users (or servers), the UPD will be used exclusively for client-side printer mapping. The only other thing to look out for is with RDP connections (IT staff usually) - make sure you disable client side printer mapping on the RDP listener to prevent printer driver installations.
Of course, any session printers or printers installed on the XenApp servers as local or network printers will require drivers as you can't use the UPD for these.
Alan Osborne
President (MCSE, CCNA, VCP, CCA)
VCIT Consulting - Citrix/Terminal Services Remote Desktop Solutions for SMB
VCIT website My Blog
As Alan said when you are in your session you can browse any print server and install the drivers automatically, to disable this and only allow the drivers you install and those in the NTPrint.inf, set the followint GPO's:
Computer Confi\Admin Templates\Printers\Disallow installation of kernel mode drivers
Computer Conf\Win Settings\Sec Settings\Local Pol\Sec Options\Devices: Prevent users from installing printer drvivers
you can also set:
Computer Conf\Win Settings\Sec Settings\Local Pol\Sec Options\Devices: Unsigned driver behaviour: Disallow
--Emil
In addition to that, you can rename ntprint.inf. This means if an Admin RDP's to the server with printer mappings enabled, the native drivers will not be installed as the system cannot find ntprint.inf to get the relevant driver information.
Alan,
I have the "Do not automatically install.." set already. Citrix was pointing fingers at Microsoft when I asked them about it a while back. The UPD doesn't work with every printer, so I can't set the other policy to only use Citrix UPD. I'll check out the RDP listener. That's probably where half of these drivers come from.
Emil & Mark,
That helps. I didn't know about those GPOs, so I'll be sure to set them. So renaming the NTPRINT.INF is a safe practice? There's no way to prevent drivers that come with the O/S from getting put on there?
Yep it is safe, if Windows does not find a driver on the local Server, it will fail the printer connection and not install the driver from any source.
Ok, Thanks!