This article provides information on how to restrict the installation of print drivers on a XenApp Servers hosted on Windows Server 2008.

Background

On Windows Server 2003, the installation of print drivers on XenApp servers can be restricted. For more information, refer to CTX120618 – How to Restrict Print Drivers from Being Installed on XenApp Servers. For Windows Server 2008 (R1 and R2), the installation of the print drivers cannot be restricted because of the changes in the printing subsystem.

The Point and Print Microsoft technology introduced in Windows XP and Windows Server 2003 aids to navigate to a print server through Windows Explorer and to install a shared printer. When a printer is connected, Windows downloads the necessary driver automatically and installs it on the local system.

The Point and Print technology introduced in Windows Vista and Windows Server 2008 R1 uses driver packages instead of individual files as used by the originating print server.

Instructions

To restrict the installation of print drivers through the Group Policy settings, complete the following steps:

2. Set a false server name in Approved Servers or FQDN of a server which can allow Point and Print.
   Note: If a server is not specified, the policy setting does not work.

3. Go to Administrative Templates > Printers > Only Use Package Point and Print
   OR
   Go to Administrative Templates > Printers > Point and Print Red Restrictions.

4. Set a false server name here or only a particular servers.

The step 1 and 2 disable or restrict the Package Point and Print. The step 3 and 4 ensure that either Package Point and Print is only used (so that Windows cannot fall back into XP-mode point and printing) or the servers are disabled on which the standard point and print can be used.

The following explanation in the GPO template, Package Point and Print – Approved Servers, provides more information:
“This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the Point and Print Restrictions policy that governs the behavior of non-package point and print connections.
Windows Vista and higher clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators might need to set both policies to block all print connections to a specific print server.
If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.”
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/VistaPnPSec.doc