This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 6%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I am experiencing an issue with Deployment of Printers from GPO. This just started last week after I replaced existing 2012r2 DC and 2012R2 Print Server with New 2019 DC and Print Server If a user had already gotten their printers from GPO they are present and work. If a user needs printers to load from GPO they will not. When we run gpupdate /force we get this "Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link."
All other GPOs are processing and working properly.
I have 4 other DCs (3 - 2012r2 and 1 -2019) and 3 other Print Servers (2 - 2012R2 and 1 - 2019) Workstations are all Win10 assorted flavors (1908 through 21H2)
Since I list all printers in the Directory. I can still install the printers manually from the Printer Servers through "Add Printer" and they install without issue even for none admin users.
Microsoft has really made a mess with this recent security update. Did they ever test this with GPO deployment of printers before dumping it out there?
Anyone else seeing this behavior? Has anyone fixed this behavior?
The stranger part is that this has caused Print Servers that have not had the updates to not deploy via GPO. Most recent print server I installed was 2019 and fully updated with 9/21 rollup. This is when My problem started and it was only that server at first. With in a few hours all my print servers stopped deploying printers from GPO. My other 3 print servers have not had the 9/21 update. 2 of them (1 - 2012R2 and 1 - 2019) have had the 8/21 update and 1 of them (1- 2012R2) has only had 7/21 update.
That single server having the 9/21 update broke all the rest in a few hours.
Microsoft needs to stop passing the buck and admit the screwed everyone that uses print servers and come up with a real fix for the issue.
I have updated server 2019 on 24/09/2021 after I had the first report of missing printers , so my issue appeared before 09/21 update.
Don't you think it may be more related to updates on the Windows 10 devices?
Some of my devices works fine - for sure the computers which I updated recently got this issue.
I will need to check computers which do not have this issue and check when those been updated.
I don't believe it has to do with the Workstations. I have workstations that haven't been updated in a year that printer deployment via GPO now does work. It doesn't seem to matter if it is 1908 that hasn't been updated in a year or if it is 21h2 that is fully updated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 93%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
I had the same issue as this but was able to resolve it by changing the way i mapped printers in GPO.
Initially i was getting this issue when tryng to map printers via the User GPO settings in; User Configuration - Policies - Windows Settings - Deployed Printers
However when i started mapping them using the User Configuration - Preferences - Control Panel Settings - Printers
They started to map every logon and i also didnt get the gp error "Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link."
Hope this helps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 84%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
I came across this yesterday after moving printers to a new server after the original took a nose dive. Some users were able to get the new connections with just a gpupdate, some required log off/on or reboot, others refused to work at all. GPResult showed the same as others - there was an error and to click More Information, a link which doesn't seem to exist. I changed those GPOs to deploy via Control Panel instead, which I'd really rather not do. Hopefully they get it resolved soon!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
Did you ever find anything that works for you? I am still fighting this issue.
Hi,
I had the same issue.
I temporarily set RestrictDriverInstallationToAdministrators to 0.
As said by you I've tried to use this GPO
User Configuration - Preferences - Control Panel Settings - Printers
but every time I access to my computer the printers start to map and lost default printer.
I can't set default printer via GPO because the same GPO is applied to all users in all offices.
There are any workarounds? I can't deploy printers to computer because there isn't GPO option to deploy shared Printers like in User Settings and my printers are installed in a print server that share them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 52%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Had a similar issue.
I switched accounts, signed in as an admin, ran cmd as admin, and ran gpupdate /force. This solved the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 47%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
We had the same issue, until we found this:
https://community.spiceworks.com/topic/277019-printer-deployment-via-group-policy-not-working
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 56.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
This helped me !! Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 42%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVU%3C/text%3E%3C/svg%3E)
We experience exactly the same behaviour. I've spent one full day and I think this is a bug in how Microsoft fixed PrintNightmare vulnerability and printer deployment via Deployed Printer Connection GPO.
I'm dumping all test information here in case someone needs it. The tests where performed on Windows Server 2019 print server and Windows 10 clients with latest 2021-12 CU installed, though I don't think OS version matters that much.
First thing you need to understand is that the behaviour and how GPO settings described in this MS article https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872 work depends on the type of the driver.
Solution 1
a) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Only use Package Point and Print to Enabled.
b) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Package Point and Print - Approved Servers to Enabled and specify FQDN of your print server.
c) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Limit print driver installation to Administrators to Disabled.
This will allow to deploy printers via Deployed Printer Connection GPO targeting User Scope. I didn't find any information if this also enables PrintNightmare vulnerability. Here https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 Microsoft says that CVE-2021-34527 is only present if Point and Print Restrictions GPO is used and nothing about Package Point and Print. Even if it is, the vulnerability should be limited only to the attack vector coming from the FQDN specified earlier. Also, vulnerability should only be exploitable when attacker uses V3 packaged drivers, and not package-unaware drivers.
Solution 2
Use GPP instead of Deployed Printer Connection GPO to deploy printers. This will allow to deploy V4 printers without any other GPO/registry changes.
Solution 3
Change your Deployed Printer Connection GPO to use Computer Configuration instead of User Configuration and apply it to Computers OU instead of Users OU. This again will allow you to deploy V4 printers without any other GPO/registry changes.
Solution 1
a) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Only use Package Point and Print to Enabled.
b) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Package Point and Print - Approved Servers to Enabled and specify FQDN of your print server.
c) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Limit print driver installation to Administrators to Disabled.
This will allow to deploy printers via Deployed Printer Connection GPO targeting User Scope. Again, it is unclear if this enables PrintNightmare vulnerability, but even if it's so, the vulnerability should be limited only to the attack vector coming from the FQDN specified earlier. Also, vulnerability should only be exploitable when attacker uses V3 packaged drivers, and not package-unaware drivers.
Solution 1
a) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Package Point and Print - Approved Servers to Enabled and specify FQDN of your print server.
b) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Point and Print Restrictions to Enabled, enable User can only point and print from these servers and specify FQDN of your print server. Also, don't forget set Security Prompts to your liking.
c) Set Computer Configuration -> Policies -> Administrative Templates -> Printers -> Limit print driver installation to Administrators to Disabled.
This will allow to deploy printers via Deployed Printer Connection GPO targeting User Scope, but if you choose to disable Security Prompts in step b) it also enables PrintNightmare vulnerability. Vulnerability can be exploited when using both V3 packaged and package-unaware drivers. It is limited to the attack vector coming from the FQDN specified earlier though. If Security Prompts are enabled vulnerability cannot be exploited.
Since I'm using only V4 drivers and I think it's a bug, I went with first Solution 1 and will wait until MS hopefully comes up with another fix.
Hope this helps.
P.S. I encourage everyone to have Feedback Hub ticket filled regarding this issue. Maybe our voices will be heard at some point.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 88%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Solution 1 for V4 drivers; I feel like this answer is way underrated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)
Okay so Microsoft as usual 'passed the buck' to others. We have all had to look at creating a Reg policy for Point and Print
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
value name="RestrictDriverInstallationToAdministrators"
type=REG_DWORD
value=0
After the most recent updates MS forced the restriction and this still impacts older printer drivers even after the reg hack. After plenty of head scratching and investigations: 1.You must have Type 3 drivers 2. If you have older packages NOT classed as packaged it appears MS still doesn't allow them without issues: using kix script-even if you have disabled the Point and Print registry, the user is still prompted with the 'Trust this printer and install option', to which you need to supply and admin account . Once installed all fine the next time around. IF using GPO Targeting the printer configured in GPO doesn't appear in the printer options list when trying to print. Found the following in the event log of the client machine [even though the driver does exist on the server]
1The column where the Package column have 'false' against them will likely be issues:
I had been scratching my head for days testing and wondering why the Brother HL-5450DN worked but not the Brother HL-L8250CDN as there just didn't appear to be a reason for it, well there is thanks to MS. :( So, to sum up: 1. You will require new drivers from the manufacturer’s website. 2. look at ways to possibly build a 'package' to be deployed by systems like SCCM.
Just another shambles!
It has now be over a year since I first posted this issue. In that time I have probably tried a dozen different fixes.
The BEST FIX I Have Found is TYPE 4 drivers.
Since Microsoft basically broke printer deployment via GPO most printer manufacturers have finally been forced to release Type 4 printer drivers. Since I have converted all my print servers to using Type 4 drivers I have had almost zero issues with printers deploying via GPO. The issues I have had are on the workstation end and will always happen on occasion.
Hope this helps.
Hello @DanHoffa ,
Thank you for your question.
Based on the description of your problem, I recommend that you take a look at the topic below, which has a problem similar to yours and may help you fix the problem:
------------------------------------------------------------------------------------------------------------------------
If the answer is helpful, please vote positively and accept as an answer.
Thank you for the response.
Article does nothing for me. Already been through the gambit of fixes already. The problem really appears to rest in the permissions realm. All my admins get every printer from GPO even now. Normal users do not. They did before the security change. Registry entries have not worked. Rolling back updates is only good till the next rollup installs.
This is Microsoft screwed up. They broke Deployment of Printers via GPO for normal Domain Users.
What are we suppose to do now?