Tuesday, June 20, 2017

Printer Driver Isolation

Printer driver isolation improves the reliability of the Windows print service, by enabling printer drivers to run in processes that are separate from the process in which the print spooler runs.
Support for printer driver isolation is implemented in Windows 7, Windows Server 2008 R2 and later operating systems.
For Windows 7 and Windows Server 2008 R2, an inbox printer driver must support printer driver isolation and be able to run in an isolated process.

Previous Versions of Windows

In previous versions of Windows, including Windows Server 2008, printer drivers always ran in the same process as the spooler. Printer driver components that ran in the spooler process included the following:
  • Print driver configuration modules
  • Print processors
  • Rendering modules
The failure of a single print driver component could cause the print subsystem to fail, halting print operations for all users and for all print components.

New Versions of Windows

With Windows 7 and Windows Server 2008 R2, an administrator can, as an option, configure a printer driver to run in an isolated process--a process that is separate from the spooler process. By isolating the driver, the administrator can prevent a fault in a driver component from halting the print service.
For more information about the spooler functions, see Spooler Component Functions and Structures.

Driver Isolation Support in INF Files

By default, if the INF file that installs a printer driver does not indicate that the driver supports driver isolation, the printer class installer configures the driver to run in the spooler process. However, if the INF file indicates that the driver supports driver isolation, the installer configures the driver to run in an isolated process. An administrator can override these configuration settings and specify, for each driver, whether to run the driver in the spooler process or in an isolated process.
To support driver isolation, the INF file that installs a printer driver can use the DriverIsolationkeyword to indicate whether the driver supports printer driver isolation. Setting DriverIsolation=2 indicates that the driver supports driver isolation. Setting DriverIsolation=0 indicates that the driver does not support driver isolation. Omitting the DriverIsolation keyword from the INF file has the same effect as setting DriverIsolation=0.

Spooler Functions for Driver Isolation Settings

The following table shows the spooler functions that an administrator can use to configure the driver-isolation settings.
Function nameOperation
Get the driver-isolation settings for a printer.
Set the driver-isolation settings for a printer.
Enumerate driver-isolation settings for a printer.
Request notifications of changes to the driver-isolation settings for a printer.
The format for the data is as follows:
  • Driver in each group is separated by '\'
  • Each driver group is separated by '\\'
The first group loads the driver into the spooler processes. Each subsequent group loads the drivers in isolated processes per group. The second group is considered the 'shared' group in which other isolation-capable drivers are loaded by default.

Configuring Driver Isolation Mode through Administration

A computer administrator can use the Windows Print Management console or call the Windows spooler functions to configure the driver-isolation settings for each printer driver installed on a computer. The administrator configures the driver to use one of the settings listed in the following table.
Driver-isolation modeMeaning
Shared
Run the driver in a process that is shared with other printer drivers but is separate from the spooler process.
Isolated
Run the driver in a process that is separate from the spooler process and is not shared with other printer drivers.
None
Run the driver in the spooler process.
Ideally, a printer driver is able to run in shared mode. That is, it runs in an isolated process shared with other printer drivers but separate from the spooler process. A driver might need to run in isolated mode if it can run in a process separate from the spooler process, but has difficulty sharing the process with other drivers. For example, a poorly designed driver might have file names that conflict with those of related drivers or of different versions of the same driver, or the driver might fault frequently or have a memory leak that interferes with the operation of other drivers that run in the same process.
To support troubleshooting, the domain administrator can disable the driver-isolation feature on a computer in the domain, or the administrator can force all of the printer drivers on the computer to run in isolated mode. In isolated mode, each driver must run in a process separate from the spooler and from the other printer drivers.
If driver isolation is disabled by group policy, the isolation is off for all printer drivers. If isolation is enabled, then the individual drivers are mode-checked. If a driver has isolation mode set, it runs in shared, isolated, or none mode, based on the registry entry. However, if the driver does not have isolation mode set and it is compatible with isolation, it runs in shared mode. If the driver is not compatible with the mode, the group policy override determines whether the driver runs in shared mode or none mode.
The following chart shows a decision map for choosing the driver isolation mode:
flowchart for choosing the driver isolation mode

Spooler Functions Allowed under Driver Isolation

Only specific functions are allowed under driver isolation.

Spoolss.dll Functions

The following functions are exported by spoolss.dll and are available to spooler plugins by linking to spoolss.lib.
AddMonitorW
AppendPrinterNotifyInfoData
ClosePrinter
DeletePortW
DeletePrintProcessorW
EndDocPrinter
EndPagePrinter
EnumFormsW
EnumJobsW
FlushPrinter
GetJobAttributes
GetJobAttributesEx
GetJobW
GetPrinterDataExW
GetPrinterDataW
GetPrinterDriverDirectoryW
GetPrinterDriverW
GetPrinterW
ImpersonatePrinterClient
OpenPrinterW
ReadPrinter
RouterCreatePrintAsyncNotificationChannel
RouterGetPrintClassObject
SetJobW
SetPrinterDataExW
SetPrinterDataW
StartDocPrinterW
StartPagePrinter
WritePrinter

WinSpool.drv Functions

The following functions are exported by winspool.drv and are available to spooler plugins by linking to Winspool.h.
AppendPrinterNotifyInfoData
ExtDeviceMode
ImpersonatePrinterClient
IsValidDevmode
PartialReplyPrinterChangeNotification
ReplyPrinterChangeNotification
RevertToPrinterSelf
RouterAllocBidiMem
RouterAllocBidiResponseContainer
RouterAllocPrinterNotifyInfo
RouterCreatePrintAsyncNotificationChannel
RouterFreeBidiMem
RouterFreeBidiResponseContainer
RouterFreePrinterNotifyInfo
RouterGetPrintClassObject
RouterRegisterForPrintAsyncNotifications+
RouterUnregisterForPrintAsyncNotifications

Monday, June 19, 2017

Manually enabling network file and printer browsing for unmanaged Symantec Endpoint Protection 11.0 clients.

Situation

Cause

Solution

Thursday, June 15, 2017

Using WSUS with Windows 10 1607?

Note:  Consider this post obsolete and replaced by https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/, which offers more detail and clarity around the behavior of Delivery Optimization in both Windows 10 1511 and 1607.
For those of you who have started deploying Windows 10 1607 (edit: and Windows 10 1511), you might notice a change in the behavior of the Windows Update agent for PCs that are configured to pull updates from WSUS.  Instead of pulling the updates from WSUS, PCs may start grabbing them from peers on your network, leveraging the Delivery Optimization service for referrals to other PCs that have already obtained the content.  This change should generally help reduce the amount of network traffic being generated for both quality (monthly) updates and feature updates, offloading that traffic from the WSUS server.  It will add some additional traffic between each client PC and the Delivery Optimization service on the internet, as it has to talk to this internet-only service in order to get a list of peers.
If the Windows Update agent can’t talk to the Delivery Optimization service (due to firewall or proxy configurations), or if there are no peers able to provide the content, it will then go ahead and grab the content from the WSUS server.
There is a new Group Policy setting available if you want to disable this behavior, e.g. because you are already using BranchCache for peer-to-peer sharing.  To do this, you need to set the “Download Mode” policy under “Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization” to specify “Bypass” mode, which will result in the client always using BITS to transfer the content from WSUS (with BranchCache jumping in to provide the peer-to-peer capabilities through its integration with BITS):
image
Of course to set this policy, you need the latest ADMX files, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=53430 and are also included in Windows 10 1607 and Windows Server 2016.  (The “Bypass” setting wasn’t available in previous versions.)  See https://support.microsoft.com/en-us/kb/3087759 for details on how to update the Group Policy central store with these latest ADMX files, if you are using a central store.

PIN and Fingerprint Sign-in options unavailable (greyed out) in Windows 10 1607 Enterprise

See this post for the resolution to the issue. This fixed it on my Dell E5470.
https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
Apparently 1607 requires this registry key setting to enable PIN login on domain joined machines:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

Saturday, June 3, 2017

Deploy Access-Denied Assistance (Demonstration Steps)

Step 1: Configure access-denied assistance

You can configure access-denied assistance within a domain by using Group Policy, or you can configure the assistance individually on each file server by using the File Server Resource Manager console. You can also change the access-denied message for a specific shared folder on a file server. +
You can configure access-denied assistance for the domain by using Group Policy as follows: +

To configure access-denied assistance by using Group Policy

  1. Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
  2. Right-click the appropriate Group Policy, and then click Edit.
  3. Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
  4. Right-click Customize message for Access Denied errors, and then click Edit.
  5. Select the Enabled option.
  6. Configure the following options:
    1. In the Display the following message to users who are denied access box, type a message that users will see when they are denied access to a file or folder.
      You can add macros to the message that will insert customized text. The macros include:
      • [Original File Path] The original file path that was accessed by the user.
      • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
      • [Admin Email] The administrator email recipient list.
      • [Data Owner Email] The data owner email recipient list.
    2. Select the Enable users to request assistance check box.
    3. Leave the remaining default settings.
  7. +
solution guides*Windows PowerShell equivalent commands* +
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. +
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName AllowEmailRequests -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName GenerateLog -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName IncludeDeviceClaims -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName IncludeUserClaims -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName PutAdminOnTo -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName PutDataOwnerOnTo -Type DWORD -value 1  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName ErrorMessage -Type MultiString -value "Type the text that the user will see in the error message dialog box."  
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\Software\Policies\Microsoft\Windows\ADR\AccessDenied" -ValueName Enabled -Type DWORD -value 1 
Alternatively, you can configure access-denied assistance individually on each file server by using the File Server Resource Manager console. +

To configure access-denied assistance by using File Server Resource Manager

  1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.
  2. Right-click File Server Resource Manager (Local), and then click Configure Options.
  3. Click the Access-Denied Assistance tab.
  4. Select the Enable access-denied assistance check box.
  5. In the Display the following message to users who are denied access to a folder or file box, type a message that users will see when they are denied access to a file or folder.
    You can add macros to the message that will insert customized text. The macros include:
    • [Original File Path] The original file path that was accessed by the user.
    • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
    • [Admin Email] The administrator email recipient list.
    • [Data Owner Email] The data owner email recipient list.
  6. Click Configure email requests, select the Enable users to request assistance check box, and then click OK.
  7. Click Preview if you want to see how the error message will look to the user.
  8. Click OK.
  9. +
solution guides*Windows PowerShell equivalent commands* +
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.+
Set-FSRMAdrSetting -Event "AccessDenied" -DisplayMessage "Type the text that the user will see in the error message dialog box." -Enabled:$true -AllowRequests:$true  
After you configure the access-denied assistance, you must enable it for all file types by using Group Policy. +

To configure access-denied assistance for all file types by using Group Policy

  1. Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
  2. Right-click the appropriate Group Policy, and then click Edit.
  3. Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
  4. Right-click Enable access-denied assistance on client for all file types, and then click Edit.
  5. Click Enabled, and then click OK.
  6. +
solution guides*Windows PowerShell equivalent commands* +
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. +
Set-GPRegistryValue -Name "Name of GPO" -key "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explore" -ValueName EnableShellExecuteFileStreamCheck -Type DWORD -value 1  
You can also specify a separate access-denied message for each shared folder on a file server by using the File Server Resource Manager console. +

To specify a separate access-denied message for a shared folder by using File Server Resource Manager

  1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.
  2. Expand File Server Resource Manager (Local), and then click Classification Management.
  3. Right-click Classification Properties, and then click Set Folder Management Properties.
  4. In the Property box, click Access-Denied Assistance Message, and then click Add.
  5. Click Browse, and then choose the folder that should have the custom access-denied message.
  6. In the Value box, type the message that should be presented to the users when they cannot access a resource within that folder.
    You can add macros to the message that will insert customized text. The macros include:
    • [Original File Path] The original file path that was accessed by the user.
    • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
    • [Admin Email] The administrator email recipient list.
    • [Data Owner Email] The data owner email recipient list.
  7. Click OK, and then click Close.
  8. +
solution guides*Windows PowerShell equivalent commands* +
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. +
Set-FSRMMgmtProperty -Namespace "folder path" -Name "AccessDeniedMessage_MS" -Value "Type the text that the user will see in the error message dialog box."  

Step 2: Configure the email notification settings

You must configure the email notification settings on each file server that will send the access-denied assistance messages. +
  1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.
  2. Right-click File Server Resource Manager (Local), and then click Configure Options.
  3. Click the Email Notifications tab.
  4. Configure the following settings:
    • In the SMTP server name or IP address box, type the name of IP address of the SMTP server in your organization.
    • In the Default administrator recipients and Default 'From' e-mail address boxes, type the email address of the file server administrator.
  5. Click Send Test E-mail to ensure that the email notifications are configured correctly.
  6. Click OK.
  7. +
solution guides*Windows PowerShell equivalent commands* +
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.+
set-FSRMSetting -SMTPServer "server1" -AdminEmailAddress "fileadmin@contoso.com" -FromEmailAddress "fileadmin@contoso.com"  

Step 3: Verify that access-denied assistance is configured correctly

You can verify that the access-denied assistance is configured correctly by having a user who is running Windows 8 try to access a share or a file in that share that they do not have access to. When the access-denied message appears, the user should see a Request Assistance button. After clicking the Request Assistance button, the user can specify a reason for access and then send an email to the folder owner or file server administrator. The folder owner or file server administrator can verify for you that the email arrived and contains the appropriate details. +
Important
If you want to verify access-denied assistance by having a user who is running Windows Server 2012 , you must install the Desktop Experience before connecting to the file share. +

See also