KB3163912 breaks Point and Print Restrictions

Problem:
Users started to see prompts to set up their printers and users in our computer lab were unable to see the printers when they logged in. This started to occur shortly after the July 2016 Microsoft patch day.

KB3163912 breaks Point and Print Restrictions GPO settings

In July 2016, Microsoft released a patch that fixed a long standing issue.

• The Server Operator setup Point and Print policies such that users can install their printers.(with no restrictions to where people can obtain drivers)
• Unsuspecting User is given a printer link on the internet.
• This link has "drivers" for the printer which contain malware/hacks/etc.
• Malware is installed.

Patch Notes:
https://technet.microsoft.com/library/security/MS16-087


Solution: Since we were using group policy preferences to map user printer queues, I looked into fixing that. We needed to figure out what exactly was happening when the printers were getting mapped. The easiest way to troubleshoot group policy preferences is to enable debug log tracing.

• Open up your Group Policy Management console. 
• Edit your Policy that manages your printers(or anything else)
• Drill down to Computer Configuration\Policies\Administrative Templates\System\Group Policy, in the list you'll see "Configure Printer Preference logging and tracking"
  
  You can specifically track printer preferences. The default location for this text log file is c:\program data\GroupPolicy\Preference\Trace

To actually fix this the Microsoft issues I used these steps.

1. When I used the trace utility it was telling me that permission was being denied to map the printers, so I set Permissions on the printer: EVERYONE or AUTHENTICATED USER must have at least read (print) permission. This wasn't the default on windows server 2008 r2

2. The printers that I have are configured to map based on usernames in Group Policy Preferences, so I modified that gpo to contain the following settings.

1. In Computer Configuration->Administrative Templates->System->Driver Installation, edit "Allow Users to install device drivers for these device setup classes. This requires you to put in {0ecef634-6ef0-472a-8085-5ad023ecbccd} to allow printer drivers to be installed.
2. In User Configuration->Administrative Templates->Control panel->Printers, edit "Package Point and print-approved servers". Enable this setting click on the "Show" box, type in your server names.
3. In User Configuration->Administrative Templates->Control panel->Printers, edit "Point and Print Restrictions", it should end up looking like this.
   
   4. Turn off the tracing once you confirm your printers are working.

In the process of setting this up, I discovered that some printers were not being mapped automatically.

Problem:
I was getting a warning in the application log on the User Desktop.
"The user ‘Printer1’ preference item in the ‘Printers {GUID}’ Group Policy object did not apply because it failed with error code ‘0x80070005 Access is denied.’ This error was suppressed."

Solution:
So I had to go and edit my printer Group Policy Preferences (User configuration->Preferences->Printers). Pick the Printer and go over to the common tab and click "Run in logged-on user's security context (user policy option)".