edit: are you using v4 drivers?
or are you trying to relax the security?
How can we allow the installation or update of the printer drivers with Group Policy Objects without the user being administrator after updating kb5005033?
The update kb5005033 broke the GPOs I use to install/update printer drivers on my domain.
Now users are prompt to enter the credentials of an administrator to install/update their printer driver.
I have more than 400 computers use by as many users in more than 20 locations.
here's the information of the update in question : https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4
I use the following documentation to try to allow the users to install drivers from our reconsize servers with no success.. https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
I'm out of options. any idea?
Windows
Windows Server
Windows Server Printing
-
Matthew Ware 6 Reputation points
2021-08-12T22:22:50.93+00:00 I enabled point and print restrictions to my print server, and now end users are able to click the Update Driver button themselves without a UAC prompt.
-
Sandrine Marquis 151 Reputation points
2021-08-13T12:36:51.47+00:00 can you share with us what exactly you've done to enable this properly?
-
Dave McGill 51 Reputation points
2021-08-13T13:26:38.117+00:00 Yes, but my users get their printers via login script, so they never see the prompt as it is done by applying the GPO before they get a desktop screen. This is a major issue for us and created mass havoc. Even if they try to install the printer manually from approved print server via point and print, they get a prompt for admin credentials to install the drivers. The only workaround I have figured out at this point is to remove KB5003033. MICROSOFT PLEASE RESPOND AND FIX!!!!!!
-
John Carr 76 Reputation points
2021-08-13T18:53:46.353+00:00 I've been making "some" progress on this, although its painful and annoying.
I went to our print server and updated every printer to use V4 / Type 4 drivers. But that didn't seem to totally fix the issue. Users could now click "add printer" and browse our AD and get a printer. But we Deploy printers via GPO.... Those were still messed up.
On one printer that had an updated driver, I undeployed it. GPUPDATE /FORCE on a workstation. The printer still showed on the workstation, but faded out. Then I deployed the printer to the GPO of that workstation. GPUPDATE /FORCE again. The faded printer was still there. I stopped the Print Spooler on the workstation. The faded printer was still there. Started the spooler. Waited a minute or so, that faded printer lit up. clicked it and the "Device driver unavailable" message was gone. User could print.
HOWEVER! I looked at the Printer Properties of the object, and got prompted to install Point and Print drivers. I declined. Maybe I should have agreed. But user could still print.
I'm not sure if this is a solution or a work around. Definitely not a solution for 500 users.
-
A. De Decker 21 Reputation points
2021-08-16T06:44:16.57+00:00 Reviewing kb5005652 will offer some solutions.
One of them is to deploy a new Registry key which will UNDO the restriction.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 0 (REG_DWORD)This way, it will all keep on working the way it was before KB5005033.
BE AWARE. This will also keep the Vulnerability active. -
Mark Baines 6 Reputation points
2021-08-16T11:37:35.727+00:00 Do you make this registry addition on the Printer Server or at the user's end (e.g. Local device or Remote Desktop Server)?
-
Nicholas Nguyen 6 Reputation points
2021-08-16T21:52:17.663+00:00 Add it to your endpoints/user's end. Tried on a printer server to confirm, and you'll basically have to roll out the GPO to add this registry key for multiple devices.
Do follow the mitigations steps outlined in https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872, but you will still be vulnerable.
-
Wardell, Craig 6 Reputation points
2021-08-19T13:50:38.237+00:00 This worked for me. Rolled the registry tweak out via GPO.
We will be using this fix until we change the way we install printers.
Maybe via papercut MF going forward. -
Erik Calzada 11 Reputation points
2021-08-27T17:15:28.66+00:00 Since KB5005033 caused some issues with our print servers requiring admin creds on installs we applied the following that allows users to install new printers from our print server without admin creds then we applied a scheduled task right after install to change the reg edit back to requiring admin creds on non domain printer installs and keeps the printer vulnerability fix applied.
Create a GPO
User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0Add these Reg Keys as well to same location:
DWORD UpdatePromptSettings /v 0
DWORD NoWarningNoElevationOnInstall /v0Scheduled Task will toggle admin creds required after printer install from print server; run as a cmd
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f -
Adam Bise 1 Reputation point
2021-09-02T06:10:55.323+00:00 I abandoned my print servers and deployed local queues via SCCM
[Driver App - System Context - No Deployment]
Install script:cscript c:\windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -m "Xerox GPD PCL6 V5.810.8.0" -h "%~dp0UNIV_5.810.8.0_PCL6_x64_Driver.inf" -i "%~dp0UNIV_5.810.8.0_PCL6_x64_Driver.inf\x3UNIVX.inf"
Detection:
cscript c:\windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -l | findstr /c:"Xerox GPD PCL6 V5.810.8.0,3,Windows x64"
[Port App - System Context - No Deployment]
Install script:cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnport.vbs" -a -me -r v1_10.10.10.10 -h 10.10.10.10 -o raw netsh advfirewall firewall set rule group="SNMP Trap" new enable=Yes
Detection:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnport.vbs" -l | findstr /c:"Port name v1_10.10.10.10"
[Queue App - User Context - User Deployment - Dependency: driver and port apps]
Install script:cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs" -a -p "HR Printer" -m "Xerox GPD PCL6 V5.810.8.0" -r "10.10.10.10"
Detection:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs" -l | findstr /c:"Printer name HR Printer"
Kind of crazy to just abandon our print servers but at least now we have a secure and workable foundation to migrate to.
-
Darius Peterson 1 Reputation point
2021-09-02T12:39:53.733+00:00 I have a creative way to do it in SCCM--this is for a single printer. It basically migrates the Add Printer function to software center. I wrapped the powershell script in winforms for a nice user friendly feel, and even used an older way to add printers that can be wrapped in VBscript or any other language.
PDF describes how to test it and deploy it--change the txt file to a .ps1 to use it.
-
Filip Svoboda 1 Reputation point
2021-09-02T17:10:04.563+00:00 I prefer a more flexible setup in the domain, at least this one. It's a bit more secure :D
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"Restricted"=dword:00000001
"TrustedServers"=dword:00000000
"ServerList"=""
"InForest"=dword:00000001
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:00000002
"RestrictDriverInstallationToAdministrators"=dword:00000000and open in startup script
explorer \pathtoprinter -
User#29882 16 Reputation points
2021-09-03T18:19:26.04+00:00 This has me wondering, why does Microsoft not fix the vulnerability in the Print Spooler instead of blocking users from installing print drivers?
Or is this only a temporary mitigation, and we will see an actual fix for the print spooler at a later date?
-
Gary Smith 121 Reputation points
2021-09-08T14:34:26.72+00:00 Seems the reg value of 1 breaks some of my connections (2x are to a 2016 box). The others stay (all 2008 r2) valid after the reg value 0, reboot or gpupdate and reg value of 1.
Any further fixes?I see its also affecting server 2019 RDS.. Any pointers for this?
Thanks
-
js2010 186 Reputation points
2021-09-23T14:56:48.91+00:00 Beware of the new RpcAuthnLevelPrivacyEnabled setting turned on by default on servers in September. This may break some printing (Osx) (especially if you haven't patched clients since January).
-
Dooley CIV Brent 1 Reputation point
2021-11-01T15:05:40.907+00:00 Testing this solution in our environment which is Windows Server 2012/2016 and Windows 10 1909/20H2. We created the SCCM package but its not mapping the printer for user. Its installing the printer driver but even after a restart the printer is not mapped for the user. All of our printers are network printers on the print server(s). Looking through this is running as admin so SYSTEM context and yes I see the script is suppose to add the printer per the computer, so all users. But its not working for network based printers. Network based printers on a print server have always been per user.
'
Anyone else seeing this same issue. -
Lamar McDonald 1 Reputation point
2022-05-12T18:13:52.517+00:00 I'm having the same issue. We have tested the registry edit
(HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint)
RestrictDriverInstallationToAdministrators = 0 (REG_DWORD)
DWORD UpdatePromptSettings /v 0
DWORD NoWarningNoElevationOnInstall /v0The edit is working on all the users we've tested. However, does the registry edit open up a hole for the Print Nightmare exploit? We disabled the domain policy that allowed users to install printers due to the Print Nightmare exploit. Are we now putting our environment at risk again?
-
Erik Calzada 11 Reputation points
2022-05-12T18:22:38.06+00:00 Hey Lamar,
Good question which is why I added the scheduled task to run after. This scheduled task should be added to the GPO and it will re enable the exploit so you are protected. Basically the reg key makes it able for the user to install the printer when that action is taken and renables the security to protect against the printer nightmare.
Scheduled Task will toggle admin creds required after printer install from print server; run as a cmd
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Sign in to comment
41 answers
Sort by: Oldest
-
DonPick 1,256 Reputation points
2021-08-12T09:54:25.443+00:00 -
DonPick 1,256 Reputation points
2021-08-12T10:21:09.82+00:00 there are a number of suggestions here, may be useful?
Sign in to comment -
-
Sandrine Marquis 151 Reputation points
2021-08-12T10:34:03.7+00:00 I don't know what you are talking about when you write v4 drivers. And I'm not trying to relaxe the security.. .I don't want to have to gives admin credentials to hundreds of users for the printers to works on more than 400 computers.
I use packages drives on my windows servers that I use has print servers. The drivers are from I know locations. the GPOs and printes are configured by me. And I'm not pointing to a unknown locations for those drivers.
Because of this change I have hundreds of computers in more than 20 locations asking regular users for admins credentials to update printers driver... The worst part is... those drivers are the last available version and don't need to be updated.
I can't believe I'm the only one with this problem. it's an actual users who is trying to install printers, it's a know server process pushing configuration to know computers using recognized users credentials.
I won't remote access hundreds of computers to entre admin credentials. it's not a solution.
-
CH 11 Reputation points
2021-08-12T11:55:08.85+00:00 You are not the only one with this issue, I have the same. It seems to only be a particular driver that is affected by the issue. Users a prompted to update this driver but the drivers haven't been changed.
-
John Carr 76 Reputation points
2021-08-12T18:40:21.547+00:00 You're not alone. Some MS update has blown up our print servers too. Its also very sporadic. I'm also seeing MULTIPLE versions of the same printer listed in Devices and Printers, and they all say "Unknown Device Driver". When you go to File, Print, the printers aren't even there.
If you do see them, you get prompted to install the driver. There's a registry hack to let the non-admin install the driver, but that's a bandaid, not a solution.
I've updated drivers for the printers on my print server hoping that the drivers would be trusted, but it's not really working through pushed printers.
I tried to add the GPO to only let Point and Print printers print through a trusted print server, but that didn't seem to help.
-
Sandrine Marquis 151 Reputation points
2021-08-12T20:04:05.43+00:00 I hope we'll find a solution.
-
MichaelCMetal 21 Reputation points
2021-08-16T15:53:54.933+00:00 V4 or Mode 4 drivers are the newest type of print driver for MS Print Servers. I've been avoiding them for years but now they are a necessity. Depending on your brand of printers/copiers, you may or may not have access to V4 drivers right now. I cannot find Brother or HP mode 4 drivers, however my BizHubs and Kyoceras are now using V4 and no more admin prompt, etc. Nothing. I just changed them under the shared object on the print server and it pushes it to the workstations.
-
ROprisko 11 Reputation points
2021-09-07T19:19:43.62+00:00 Im right there with you!
-
ROprisko 11 Reputation points
2021-09-08T14:49:12.617+00:00 You are not alone. I am having this issue also on my 2019 server for Papercut.
-
Surge 16 Reputation points
2021-09-15T01:41:26.293+00:00 I was able to find HP type-4 and class drivers by using the Windows Catalog. Specifically, Class Drives which are supposed to be Type-4 but they still do not work correctly. I've used type-4 drivers provided by the vendor and available in the Windows Catalog for clients and some printers simply do not work. After dozens of experiments, I'm concluding that as of this writing the type-4 driver approach is not reliable and with the MS patch requiring admin credentials the print manager has been deprecated.
-
Arnie Spitzmacher 0 Reputation points
2023-08-16T16:48:03.1766667+00:00 Experiencing the same issue with 2022 server and Papercut. Clients are getting prompted to update printer drivers, but nothing has changed.
Setting the group policy to allow non admin installation works, but we wanted the UAC prompt and even though we have "show warning and elevation prompt" set to enable for installing drivers, the prompt does not happen.
Has anybody found out/fixed why clients are getting prompt for drivers when they shouldn't be?
Sign in to comment -
-
Sandrine Marquis 151 Reputation points
2021-08-12T12:02:35.123+00:00 You're probably right. I was thinking people were complaining after the update and other were not because the update wasn't applied yet. It's probably the driver. Now the problem is who to fixed this when the problem comes from différents drivers... if this is the latest version of those specific drivers.
-
Lancaster, Ben 21 Reputation points
2021-08-12T13:23:24.297+00:00 Hi, we are also having the same issue. Since installing the kb all users are being prompt to elevate permissions when trying to print. We have logged a support call with Microsoft. There is some information on this link - https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
-
Sandrine Marquis 151 Reputation points
2021-08-12T13:47:57.967+00:00 Keep us up to date. I tried the solution on the link you just gave us with no success.
I'll try to communicate with the compagny to check if it's a problem with certain drivers and not windows.
And I'll come back here if I find anything. -
Sandrine Marquis 151 Reputation points
2021-08-12T15:10:32.14+00:00 I hope you get a solution from microsft because here, it's gettind worst. now of my printers are installing now on new setup and those own were install are disapearing.
-
Tobias Eriksen 6 Reputation points
2021-08-12T15:48:48.66+00:00 Seems to work *) in my limited test. I did also follow https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/
It might be important to restrict point and print to specific servers, if you want a little bit of security.
. *) the "RestrictDriverInstallationToAdministrators" - registry fix from the link
-
Lancaster, Ben 21 Reputation points
2021-08-13T09:19:38.427+00:00 Still pursuing with Microsoft via a support call. Initially being told this is a now issue.
Sign in to comment -
-
jameselees 51 Reputation points
2021-08-12T15:04:38.693+00:00 From testing it appears Type 4 - User Mode Drivers are not prompting. The drivers must be on the client computer already from OS image, windows update/WSUS or installed using a tool with admin credentials. The installed printer will get driver settings from the print sever but not the driver itself.
Problem is even a lot of recent updated drivers are Type 3 and can't find Type 4....
-
Sandrine Marquis 151 Reputation points
2021-08-12T15:08:12.313+00:00 Sorry but in my environement having the driver in the os image isn't an option.
I won't reinstall 400 computers... and add hundreds of possible printer drivers... and printer model are changing so fast that it's impossible to keep up.and what happen if the driver needs to be updated...
It's not funny at all and not a realistic solution.
Now my users are loosing their printers that are already configured.
-
jameselees 51 Reputation points
2021-08-12T15:11:19.987+00:00 Check to see if you can change driver to a Type 4 - We found this works just changing the Driver for Xerox to Type 4 vs Type 3
-
jameselees 51 Reputation points
2021-08-12T15:17:30.463+00:00 And to clarify that's changing the driver type on the print server to Type 4 Driver.
-
Sandrine Marquis 151 Reputation points
2021-08-12T15:24:53.997+00:00 I'll look into this. I'll try to figure out how to change this. thank you.
-
John Carr 76 Reputation points
2021-08-12T20:15:10.487+00:00 And Type 4 drivers need to be digitally signed. In one case for our Xerox printer, we have an older Win2008 print server (being held up from retirement due to legacy issues) that doesn't offer a signed version of the driver from Xerox. The 2012 and 2016 server version seems to be signed.
-
jameselees 51 Reputation points
2021-08-12T20:22:16.23+00:00 Glad to hear some are making some headway on this. Wish Microsoft would publish this sort of data to help.
-
Lancaster, Ben 21 Reputation points
2021-08-13T09:18:17.13+00:00 Does changing to Type 4 drivers work?
We are not getting much help from Microsoft via the support call we have logged.
-
John Carr 76 Reputation points
2021-08-13T14:37:07.68+00:00 Somewhat...... At least in my environment. We have a Win2012 print server with all the printers installed via IP. We DEPLOY the printers to Computer-GPO to the GPO of each department. This morning I changed every driver on every Xerox printer to the V4 version of the driver.
I do a GPUPDATE /FORCE on the workstation of a user who is complaining. After signing back in, and waiting a few moments, I do eventually see the printer. But I also see lots of other printers I clearly didn't deploy, or sometimes 3-4 versions of the same printer. This will make it difficult for our users do set which printer they want as default. Now, I know that Win10 now sets the default as the last printer you printed to. But sometimes if a user is in Word, and clicks File, Print, they'll see dozens of printer objects now, instead of the 4 or 5 they had before. And to be honest, I'm not sure even this works 100%
The ONLY true solution to get a user to print is to click "ADD PRINTER" and then browse your Active Directory for the printer, and then install it. But that's a manual process and not deployed via GPO.
-
jameselees 51 Reputation points
2021-08-13T14:43:48.29+00:00 I wonder if the multiple printers are using the same driver on the type 4 almost like shared driver to those printers?
We switched to the type 4 for those that we could find the driver for but are having issues actually printing. The drivers load with no UAC but job does not print...
We've called Xerox but they said it's a network issue. Will be trying to call back and get another tech.
-
dave macholz 11 Reputation points
2021-08-13T19:45:32.213+00:00 Seems to be my version 4 drivers also from the few tickets I have seen so far. I know this will get worse soon, but uninstalling the windows update from the client pc is the only thing i've seen work yet.
I have about 1200-1500 printers in my enterprise and I have a feeling Monday is not going to be a good day.
Sign in to comment -