EMET group policy preference "application configuration" vs "default protection for popular software"

Similar Messages

• EMET GPO Default Protects for Recommended Software conflicting with Application Configuration GPO

  Hello,
  I am trying to have Excel15 launch with the -EAF mitigation removed, but also have the "Default Protections for Recommended Software" policy Enabled. This is to allow the Microsoft Power Query Ad--In to function using Excel 365 Pro Plus x64.
  It seems that the "Default Protections for Recommended Software" is taking precedent over the manually configured  "Application Configuration" Enabled policy.
  I have the  Application Configuration Enabled and looks like:
  - C:\Program Files\Microsoft Office 15\root\office15\excel.exe -EAF
  - *\Microsoft Office\OFFICE15\EXCEL.EXE -EAF
  - *\Microsoft Office 15\root\office15\excel.exe -EAF
  Any help would be greatly appreciated to get Excel launching without the -EAF mitigation.
  Thanks,

  if I understood correctly from talking to EMET feedback team last time, they said  App Config settings don't actually override any the default app or popular or IE protection profiles. (it really seems like App config settings override the other profiles
  from the manual, hey? I thought so as well) 
  Sooo, it sounded like we'd need to extract the recommended or popular app list, convert it to the path + mitigation not included format for the app config GPO and then just use app config to manage it. 
  Needless to say it sounded surprising and laborious and not management by exception at all. 
  Rinse repeat for new versions of emet and XML policy files . 
  p.s what would be really helpful in the admin guide is some real world examples of contoso.local where they apply the recommended apps + a few exceptions for all + custom exceptions for a separate class of  machines or groups of users. hmeh.

• 2008R2 IE 11 Group Policy Preference Proxy Configuration Issues

  I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings.  I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11.  Everything I've
  read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11.  But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download
  from the Admin Templates.  I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server.  How do I go about getting these preferences to become available in Server 2008 R2 SP 1? 
  #admx link
  http://www.microsoft.com/en-us/download/details.aspx?id=36991
  Note that I also tried the following to manually add support while testing but it didn't help me:
  Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings
  Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.
  Navigate to User\Preferences\InternetSettings
  Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe
  until 10.5.0, or until a hotfix is available. "
  max="10.5.0.0"

  > - Win 7 clients mysteriously show a configuration for IE 5 when I turned
  > on the IE 10 GPP.
  Although seemingly surprising, that's ok - Win7 GPP doesn't know that
  IE10 GPP exists at all, so it defaults to whatever the programmer made
  the default.
  > It only displays a few items under it as being
  > activated despite none of them being configured on the server side.
  That I cannot confirm - here it displays exactly what is configured.
  > - The home page option will not set on any version of windows.
  Cannot confirm, too - that is what I tried with the IE10 GPP for Win7,
  and it works. You know about the red/green lines and the F5...F8 thing?
  > - From Win 8.1 RSAT GPO tools if you click ok on certain fields you'll
  > get messages about check boxes on other screens then things like proxy
  > settings will be permanently greyed out until you restart the GPO from
  > scratch.
   > - None of the advanced options for the proxy entries would take on  the
   > clients.  Adding whitelist entries in the advanced option would blank
   > out fields on other screens in the GPP.
  That's a known bug in the proxy settings screen.
  > My best explanation for this is that even though the 8.1 client has the
  > options available the 2008 R2 server will not save and distribute them
  > correctly.
  Definitely - sorry - wrong. The Server (DC) doesn't know about the
  contents of GPP, these are simple XML files the GP Editor writes to sysvol.
  In fact, most CSEs store their settings in files on sysvol, and the DC
  doesn't care about the contents of these. SOME of them (Wifi, eg) on the
  other hand require AD objects, and this objects sometimes require a
  specific schema version. But even in this case, the DC OS doesn't matter
  - schema updates can be installed on downlevel OS versions, too.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group policy preference for creating printers setting the wrong printer as default

  Hi
  We have a a group policy preference applied to users.  At the moment we create a shared printer and set it as default for all users in a specific OU.  Now we need to add another shared printer.  I have updated the policy and set it to create
  the new shared printer and have set item level targeting to the same OU as the first printer.  I want to keep the existing printer as the default, however when the policy runs, the new printer is created fine but it is set as the default
  printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Both printers are Shared printers and are set to Create
  The existing printer (printer A) is set as the default printer.  It is targeted at the London OU.
  The new printer (printer B) has NOT been set as default.  It is targeted at the London OU.
  No other options have been set.
  When the policy is applied both printers are added but printer B is being set as the default.
  Any help would be appreciated.
  Thanks
  G

  Hi G,
  >>however when the policy runs, the new printer is created fine but it is set as the default printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Before going further, what's the operating systems of our clients? Here, I need to double confirm that the checkbox of
  Set this printer as the default printer... is not selected in the new GPP Printer item. Besides, we can change the orders of the printer items. To do this, select the printer item, right click, click All Tasks, and choose Move Up or Move
  Down to change the order.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How can I setup a scheduled task to run a Powershell Script delivered as a Group Policy Preference

  I have a Powershell script I want to run only once when a user logs onto their system. This script would move all the PST files from the Local drive and the Home drive to a folder location within the users profile. I wanted to run this as a Windows 7 Scheduled Task using Group Policy Preferences. How can I get this to happen short of a logon script? I have updated all the machines to WMF 4.0 so could I use a Scheduled Job instead? I wanted to run the script as the logon user but elevated.#Start Outlook and Disconnect attached PST files.
  $Outlook = New-Object -ComObject Outlook.Application
  $namespace = $outlook.getnamespace("MAPI")
  $folder = $namespace.GetDefaultFolder("olFolderInbox")
  $explorer = $folder.GetExplorer()
  $explorer.Display()
  $myArray= @()
  $outlook.Session.Stores | where{ ($_.FilePath -like'*.PST') } | foreach{[array]$myArray+= $_.FilePath}
  for
  ($x=0;$x-le$myArray.length-1;$x++)
  $PSTPath= $myArray[$x]
  $PST= $namespace.Stores | ?{$_.FilePath -like$PSTPath}
  $PSTRoot= $PST.GetRootFolder() #Get Root Folder name of PST
  $PSTFolder= $Namespace.Folders.Item($PSTRoot.Name) #Bind to PST for disconnection
  $Namespace.GetType().InvokeMember('RemoveStore',[System.Reflection.BindingFlags]::InvokeMethod,$null,$Namespace,($PSTFolder)) #Disconnect .PST
  #Move All PST files to the default location while deleting the PST files from their original location.
  $SourceList = ("$env:SystemDrive", "$env:HOMEDRIVE")
  $Destination = ("$env:USERPROFILE\MyOutlookFiles")
  (Get-ChildItem -Path $SourceList -Recurse -Filter *.PST) | Move-Item -Destination $Destination
  #Attach all PST files from the default location.
  Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
  $outlook = new-object -comobject outlook.application
  $namespace = $outlook.GetNameSpace("MAPI")
  dir “$env:USERPROFILE\MyOutlookFiles\*.pst” | % { $namespace.AddStore($_.FullName) }

  Mike,
  I do not understand what appears to be a regular expression above. I did add the PowerShell script to the HKCU RunOnce Key as suggested.
  Windows Registry Editor Version 5.00
  C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -sta -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File "C:\scripts\Windows PowerShell\Move-PST.ps1"
   I'm delivering this using Group Policy Preferences. It seems to fail or time out when run because the behavior is different if I run the script from within the PowerShell IDE. I added the parameters to the script and will try it again in the morning.

• Group Policy Preference Power Plan "Blocked By Group Policy"

  I noticed this error in the application event log of a Windows 7 PC:
  Log Name:      Application
  Source:        Group Policy Power Options
  Date:          3/21/2013 3:19:42 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      xxx
  Description:
  The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
  policy. For more information, contact your system administrator.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Power Options" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
      <EventRecordID>7687</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xx</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>computer</Data>
      <Data>Power Plan (Windows Vista and later)</Data>
      <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
      <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
    </EventData>
  </Event>
  How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

  Hi,
  You can also enable GPP tracing and logging for more information:
  Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  Regards,
  Cicely
  There is no such option "Configure Power Options preference logging and tracing" at Computer
  Configuration\Policies\Administrative Templates\System\Group Policy\.
  It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ...  Not

• Mandatory Profiles, Group Policy Preferences, Synchronous processing

  Hello,
  I'm using Windows 8.1 Update to setup a lab of computers that will use standard user accounts with Mandatory Profiles and Group Policy to lock them down. Everything is working great with the exception of Group Policy Preferences. I am using GPP printers
  to add a shared printer to the computer lab and set the default. Due to asynchronous processing, the GPPs are applied only every other time. Since they are mandatory profiles, the settings are wiped out every time.
  I have enabled the GPO setting "Always wait for network at startup and logon" but it doesn't seem to have any effect. The Mandatory Profile is assigned in the user's AD object.
  From everything I can find on the issue, the problem seems to stem from the synchronous processing/asynchronous processing of group policy preferences, which explains the consistent alternating working. Fast logon optimization is always off when using a
  roaming user profile, which is the case of these standard users, to my understanding. I also configured cached logons to '0', disabling cached logons. The computers (configured to automatically sign in with SysInternals' Autologon) received an error (no logon
  servers available) trying to sign in before the network was ready, showing that they are ignoring the setting. Even with waiting for the network and signing in manually, the GPP printers are only successfully added every other time.
  http://technet.microsoft.com/en-us/library/jj573586.aspx
  2008R2 functional level
  I have created and recreated GPOs to test creating them on the DC and a Windows 8.1 Update computer, with no change in outcome.
  I have also tried setting Startup policy processing wait time, run logon scripts synchronously, and GPP Printers processing behaviors. For the latest testing, I created a new OU with blocked inheritance and created a new GPO with just the key settings to
  wait for network, install the printers, and use the mandatory profile. It still only worked every other time.
  I am currently at a loss for a good way to add the printers to the mandatory profiles. I have hacked them into the HKCU of the mandatory profile but I feel that is a kludge solution and not very sustainable. I have tried a logon PowerShell script but had
  no luck.
  TL;DR: Win8.1Update, Mandatory Profiles, standard user: Every other restart, GPP Printers are added perfectly and the desired outcome is reached. Every other, other restart the printers are not added.

  Hi,
  I'll involve other engineer to this thread for more discussion about your problem. Please wait patient.
  Thank you for your understanding!
  Roger Lu
  TechNet Community Support

• Group Policy Preferences Printer Delete Behavior

  I just had a maddening time trying to get Group Policy Preferences to delete printers.  I'm sharing what I found out so that you might have a better experience.
  1. Even though the field is grayed out, if you have something in the "Local Name" field, the printer will only be deleted if the name matches what you have here.
  2. If the "Local Name" field is empty, one printer with a matching IP address will be deleted.  If there are multiple printers with the same IP address, the policy will delete them one by one each time a refresh occurs unless you've got the "Apply
  Once" option active.
  The client I tested with was Windows 7 with version 6.1.7601.22249 of group policy preferences installed.

  After more testing, it turns out that all of my observations were correct:
  1. Even though the field is grayed out, if you have something in the "Local Name" field, the printer will only be deleted if the name matches what you have here.
  2. If the "Local Name" field is empty, one printer with a matching IP address will be deleted.  If there are multiple printers with the same IP address, the policy will delete them one by one each time a refresh occurs unless you've got the "Apply Once"
  option active.
  3. If the "Local Name" field is empty, a warning '0x80070709 The printer name is invalid.' will be logged in the  Application log.  If a printer exists, it will still be deleted.  If the "Apply once and do not reapply" option is checked, the
  warning will still be logged every time group policy refreshes.  This warning can be prevented by configuring "Configure Printers preference logging and tracing" to only log errors, but then you potentially miss out on warnings about actual problems.

• Group policy Preferences server 2008 and windows 7

  Hi I have been struggling with an issue with group policy preferences for a while now with regard to pushing out printers to windows 7 (32/64 bit) Machines. I have two DC servers one is 2008 and the other is 2008 r2. I have setup the group policies on the
  2008 server as it is the only one i am allowed to access regularly to do this.
  Basically here is my problem. I have created multiple GPO's to send out printers from out print server to classrooms across the school district I work for, I have a mix of xp and windows 7 machines. I have the server setup with both 32 and 64bit drivers
  for all printers on that server, we have a mix of oki and hp and ricoh. I know all the connections work and the drivers work well, however when I push them out using the group policy, the windows 7 machines don't install the printers. The xp machines do this
  perfectly well when I install the client side extensions patch, but they just will not pull down on the 7 machines unless i install the printer first manually, then delete it and then run gpupdate. In that instance it will work, but obviously i don't want
  to have to go round thousands of computers doing this manually.
  Just as a side note, each classroom has its own user account and its own printer.
  If anyone has any advice as to how i can go about resolving this issue i would greatly appreciate it, this has been a problem i have been researching and trying to fix since January.......

  Hi,
  >>The xp machines do this perfectly well when I install the client side extensions patch, but they just will not pull down on the 7 machines unless i install the
  printer first manually, then delete it and then run gpupdate.
  Before going further, we can run command
  gpresult/h gpreport.html with admin privileges to collect group policy result on the troubled Windows 7 clients to check the issue. Besides, we can also check event logs in Event Viewer to see if some related error events were logged.
  Besides, I want to confirm if we have disabled
  Point and Print Restrictions under both User Configuration and Computer Configuration. To have a consistent experience, it’s recommended that we disable the policy setting in both locations if we are dealing with mixed-level clients.
  Regarding this point, the following article can be referred to for more information.
  Point and Print Restrictions policies are ignored in Windows Vista SP2, Windows Server 2008 SP2, and later Windows operating systems
  http://support.microsoft.com/kb/2307161/en-us
  Best regards,
  Frank Shen

• [Forum FAQ] Group Policy Preferences Scheduled Tasks Item not working when the option Run whether user is logged on or not is selected

  Scenario:
  We use one of the following Group Policy Preferences Scheduled Tasks item to deploy a task to clients:
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  (Note that on some platforms, "At least Windows 7" is replaced with "Windows Vista and later.")
  After designating a user account to run the task, we select “Run whether user is logged on or not” option, and “The Do not store password…”
  check box is automatically grayed out (See Figure 1).
  Figure 1
  After finishing configuring the task item, on a client, we run command
  gpupdate/force to forcefully update group policy. However, on the client, when we check if the task is listed in Task Scheduler snap-in, the task is not displayed, and when we run
  gpresult/h report.html to collect group policy result for troubleshooting, we see an error as similar as shown in the following figure (Figure 2).
  Figure 2
  Cause:
  To make the scheduled task run whether the user is logged on or not, we need to store the password of the designated user account. However, for the content of the scheduled
  task item is stored in Sysvol where it’s not safe to store passwords, this function has been deprecated.
  Workaround:
  We can run the task with system account
  NT Authority\System, or we can use specific user accounts to run the task when the given user is logged on. (See Figure 3)
  Figure 3
  Reference:
  MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014
  http://support.microsoft.com/kb/2962486
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hello Everyone,
  Succeeded !!!!!!!
  Even i was struggling with this same Problem to execute a batch via Window scheduler and set the setting to "Run whether the user is logged in or not".
  I tried many time but the batch runs with " Run
  whether user is logged on" and not with "Run
  whether user is logged on or not".
  what i discovered is that there was one mapped drive
  path in my batch file which was not the complete path like y:/AR.qvw actually what i did i changed that map path to the complete path like \\servnamename\d$\AR.qvw and the batch executed successfully with the setting "Run
  whether user is logged on or not"
  The
  conclusion is that check the dependency of the script on external resources because when you check this option "Run
  whether user is logged on or not" It actually conflicts. This my discovery.
  If
  you have any question write me on [email protected]
  Thanks
  & Regards,
  Arun

• Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

  We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
  8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
  I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
  if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
  When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
  both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
  I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

  In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

• Windows 2008 R2 - Group Policy Preference - folder option "Open with" Access denied

  Similar to this post:
  social.technet.microsoft.com/Forums/en-US/d42a81bc-96de-4af3-bc41-079e88e6ea4a
  We have Citrix terminal servers running Windows 2008 R2 and attempting to force PDF files to open with Acrobat versus PDF editing software we have installed for a small subset of users.  So I created a Group Policy Preference and added a OpenWith item
  to the Folder Options to use Acrobat as the default and linked it to a Users OU.  However, if I run gpresult the OpenWith setting fails with error code 0x80070005.  You can change it to not run in the user's security context which eliminates the
  error but then it won't actually do anything.
  The problem seems to be that when a user sets another program as their default via Windows Explorer the permissions on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice get changed so that the user is specifically
  denied the ability to set that key.  Remove the special permissions added and the group policy succeeds and changes it back to the default ... until the user changes it back (intentionally or otherwise) and the permissions are changed again.
  Any ideas here?

  > Any ideas here?
  We use GPP Registry to achieve this goal, so we do not run into that
  issue (we unchecked "run in users context", so privs are not an issue)
  But I agree, this really should work as intended...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Unable to make changes to LAN Settings in IE after Group Policy Preference is applied

  Hi all,
  I have an IE10 group policy preference on a Server 2008 R2 domain that is pushed out to Windows 7 SP1 x64 clients. This IE10 GPP is used to push out proxy settings etc. The GPP is applied fine, however when I go into LAN Settings in IE and make any
  changes such as unchecking "Use a proxy server..." these changes are not saved. As soon as I click OK and go back into LAN Settings it reverts back to the GPP settings. Are IE10 GPP's meant to allow a user to amend settings in IE? The users have
  permissions to write to the Connections key under Internet Settings in the registry. If I delete the Connections key (Which includes DefaultConnectionSettings and SavedLegacySettings) I can then make changes to the proxy (Although without the original settings).
  I know their are other, and better, methods of controlling proxy settings for users but unfortunately this is the way the customer has it implemented. All defaults for GP is applied such as refresh rate etc. I've tested IE10 on a Server 2012 R2 / Win8 environment
  with the exact same GPP settings and I can make changes to the LAN Settings. Is this possibly a bug? Any help would be appreciated.
  Thanks.

  Hi,
  So by now we could make it work by deleting the Connections key, in order to change the proxy settings of IE 10-Windows 7 in the Windows Server 2008 R2 environment?
  Besides, could it be convenient for us to perform some more tests here? How IE 10 of Windows 7 behaves in Server 2012 R2 environment? And Windows 8 in Server 2008 R2?
  Best regards
  Michael
  Michael Shao
  TechNet Community Support

• Registry Wizard not saving selections in Group Policy Preferences.

  Hello,
  I am trying to set registry keys for ODBC settings using Group Policy Preferences. All PC's in the domain are Windows 7. In testing, I was able to get this to work. Now that I am trying to create it for production, I am unable to get it to work.
  I am using the same PC to create for production that I used when I was testing.
  The steps I am taking are as follows:
  Create a new GPO. Edit the GPO and navigate to the registry node under Computer Configuration, Preferences where I create a new Collection Item. I then right click the new collection item and choose New - Registry Wizard. Using Local Computer,
  I navigate to [HKLM] > Software > Wow6432Node > ODBC > ODBC.ini
  Under the ODBC.ini key are all of the keys and data I want to include in my policy. When I check each key and put a check mark beside each data item in the lower window, my selections in the lower window are not being saved. The check mark
  shows up at the time but they are gone if I go back to check my work before hitting the finish button. If I go ahead and finish the policy anyway, I only get the keys, not the data items when the GPO is applied.
  I have found a work around but it is very cumbersome and isn't a good long term solution. The work around is to go ahead and create the policy, then go back into the collection and expand everything on the left and add each data value to each key one at
  a time using the All Tasks > Add - menu item.
  Any ideas why this is happening? I should also mention when I was "testing", I was hitting the same domain controller as I am when trying to build this for my "production" policy.
  Thanks in advance.

  Hello,
  Thanks for your reply. I am waiting on my account to be verified before I can post a screen shot.
  I did discover that if I go through and click on all the data items more than once, it appears to work. Basically, I went through each key and checked the data items, then went back to the top and started over again. All of the checks were gone, so I checked
  them again and clicked finish. I don't know if they were still missing but checking them twice seems to have worked.
  I can replicate the issue if I only check them once.

• Does using Group Policy Preferences to deploy printers require the print driver to be pre-installed?

  I'm trying to prepare our school system for Windows 7 (we currently use XP).  I would like to use the new Group Policy Preferences method of deploying printers.  I pushed out the XP client side extensions through WSUS.  In my test environment, I added the shared printer in group policy preferences.  My XP machine had the printers show up automatically, but my Windows 7 machine did not.  I realized that I had previously connected a printer of the same type to my XP machine before and the drivers were already installed.  To test this theory, I manually connected the shared printers to the Windows 7 machine, deleted them, then logged off and back on.  Now the printers are showing up from group policy.  My question is does using group policy preferences to deploy printers require the print driver to be pre-installed?  If not, then what am I doing wrong?  If so, is there a way to work around this?  Thanks for your help.
  EDIT:  To clarify, I am using the share method in GPP.  This is the error message I get in the event log:
  The user 'PRINTERNAME' preference item in the 'win7 printer test {946461A1-27F8-406F-A0B3-0A1A05AF34F6}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

  This link have a description of resolution:
  http://technet.microsoft.com/en-us/library/cc725938.aspx
  Open the GPMC.
  Open the GPO where the printer connections are deployed, and navigate to Computer Configuration, Policies, Administrative Templates, Control
  Panel, and thenPrinters.
  Note
  The Point and Print Restrictions setting can also be found under User Configuration\Policies\Administrative Templates\Control Panel\Printers.
  This policy is ignored by Windows 7 and Windows Server 2008 R2, but is enforced by earlier editions of Windows including Windows XP with SP1, Windows Server 2003 with SP1, and Windows Server 2008. We recommend that you change
  this policy setting in both locations so that all down-level clients have a consistent experience.
  Right-click Point and Print Restrictions, and then click Properties.
  Click Enabled.
  Clear the following check boxes:
  Users can only point and print to these servers 
  Users can only point and print to machines in their forest 
  In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
  Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
  Click OK.