PROBLEM
Deployed printers will not install. Users cant print to deployed printers because they need a driver update that requires admin privledges.
The issue stems from the following.
Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality. For more information, see Point and Print Default Behavior Change and CVE-2021-34481.
By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:
- Install new printers using drivers on a remote computer or server
Update existing printer drivers using drivers from remote computer or server
In our domain, no user has administrator rights on their computers so when KB5005652 or the monthly cumulative with it was released our domain got screwed. We have around 10,000 computers and 7000+ users and boy did the calls start coming in. Deployed printers would not install and users who already had printers installed were getting a driver error or driver needs updated message that no user could update because it required admin credentials which only the 6 domain admins could supply.
My settings for the following Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions
Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons myservername.here.com
Users can only point and print to machines in their forest Disabled
Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt
With this new patch and these settings, no new printers are deployed to new machines or users and users cant print to currently deployed printers that have an updated driver because they can’t update the driver.
The solution is listed in the above Mircosoft article and is listed briefly below.
Modify the default driver installation behavior using a registry key
You can modify this default behavior using the registry key in the table below. However, be very careful when using a value of zero (0) because doing that makes devices vulnerable. If you must use the registry value of 0 in your environment, we recommend using it temporarily while you adjust your environment to allow Windows devices to use the value of one (1).
Registry location | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
DWord name | RestrictDriverInstallationToAdministrators |
Value data | Default behavior: Setting this value to 1 or blank or if the key is not defined or not present, will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print.
Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server. |
Restart requirements | No restart is required when creating or modifying this registry value. |
Note Windows updates will not set or change the registry key. You can set the registry key before or after installing updates released August 10, 2021 or later.
SOLUTION
So the solution is to add the following registry key to your machines. Since there is no setting in GPO for this it either has to be imported as a registry file or pushed out as a registry XML file in a group policy.
To manually add to a machine paste the following line at an administrative command prompt.
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
To push it out to machines on your domain you can copy and paste the following in a GPO under Computer Configuration / Preferences / Windows Settings / Registry
<Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”DeployPrinterFix”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”HKEY_LOCAL_MACHINE”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”SOFTWARE”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Policies”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Microsoft”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Windows NT”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Printers”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”PointAndPrint”><Registry clsid=”{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}” name=”RestrictDriverInstallationToAdministrators” status=”RestrictDriverInstallationToAdministrators” image=”12″ changed=”2021-08-23 12:21:46″ uid=”{2A6853B3-347D-6E24-932C-6459BF2B9FBB}”><Properties action=”U” displayDecimal=”0″ default=”0″ hive=”HKEY_LOCAL_MACHINE” key=”SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint” name=”RestrictDriverInstallationToAdministrators” type=”REG_DWORD” value=”00000000″/><Filters/></Registry>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
This technically leaves you partially vulnerable to the printnightmare issue Microsoft has tried to patch numerous times but you can limit it by following the directions in the above Microsoft article and specify the allowed print servers.
I hope this helps you out since Microsoft loves to break stuff to “fix” stuff!