Fixing Deployed Printers not working after KB5005652

PROBLEM

Deployed printers will not install.  Users cant print to deployed printers because they need a driver update that requires admin privledges.

The issue stems from the following.

KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481) (microsoft.com)

Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality. For more information, see Point and Print Default Behavior Change and CVE-2021-34481.

By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

  • Install new printers using drivers on a remote computer or server
  • Update existing printer drivers using drivers from remote computer or server

In our domain, no user has administrator rights on their computers so when KB5005652 or the monthly cumulative with it was released our domain got screwed.  We have around 10,000 computers and 7000+ users and boy did the calls start coming in.  Deployed printers would not install and users who already had printers installed were getting a driver error or driver needs updated message that no user could update because it required admin credentials which only the 6 domain admins could supply.

My settings for the following  Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions

Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons myservername.here.com
Users can only point and print to machines in their forest Disabled

Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt

With this new patch and these settings, no new printers are deployed to new machines or users and users cant print to currently deployed printers that have an updated driver because they can’t update the driver.

The solution is listed in the above Mircosoft article and is listed briefly below.

Modify the default driver installation behavior using a registry key

You can modify this default behavior using the registry key in the table below. However, be very careful when using a value of zero (0) because doing that makes devices vulnerable. If you must use the registry value of 0 in your environment, we recommend using it temporarily while you adjust your environment to allow Windows devices to use the value of one (1).

 

Registry location HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
DWord name RestrictDriverInstallationToAdministrators
Value data Default behavior: Setting this value to 1 or blank or if the key is not defined or not present, will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print.

 

Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server.

Restart requirements No restart is required when creating or modifying this registry value.

Note Windows updates will not set or change the registry key. You can set the registry key before or after installing updates released August 10, 2021 or later.

SOLUTION

So the solution is to add the following registry key to your machines. Since there is no setting in GPO for this it either has to be imported as a registry file or pushed out as a registry XML file in a group policy.

To manually add to a machine paste the following line at an administrative command prompt.

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

To push it out to machines on your domain you can copy and paste the following in a GPO under Computer Configuration / Preferences / Windows Settings / Registry

<Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”DeployPrinterFix”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”HKEY_LOCAL_MACHINE”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”SOFTWARE”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Policies”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Microsoft”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Windows NT”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”Printers”><Collection clsid=”{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}” name=”PointAndPrint”><Registry clsid=”{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}” name=”RestrictDriverInstallationToAdministrators” status=”RestrictDriverInstallationToAdministrators” image=”12″ changed=”2021-08-23 12:21:46″ uid=”{2A6853B3-347D-6E24-932C-6459BF2B9FBB}”><Properties action=”U” displayDecimal=”0″ default=”0″ hive=”HKEY_LOCAL_MACHINE” key=”SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint” name=”RestrictDriverInstallationToAdministrators” type=”REG_DWORD” value=”00000000″/><Filters/></Registry>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>
</Collection>

This technically leaves you partially vulnerable to the printnightmare issue Microsoft has tried to patch numerous times but you can limit it by following the directions in the above Microsoft article and specify the allowed print servers.

I hope this helps you out since Microsoft loves to break stuff to “fix” stuff!

About The Author

I have worked in the computer repair field since the early '90s. I was a technician and then Coordinator of Computer Repair for Regional Education Service Agency II (RESA 2) for 18 years. I am currently working for Wayne County Schools as a Network Engineer/Technology Specialist. I am responsible for the schools' Internet access, Wi-Fi, networks, servers, laptops, desktops, and operating systems and software.

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *

seventy nine − = 74