This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.000000000000004%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
I have a problem with my network printers server and GPO, I tried to deploy printers in users in my company but impossible.
I saw many topics talking about PrintNightmare vulnerabilities and Microsoft patch it but still impossible to do something.
I tried many solutions like :
1.Via Group Policy (Computer Configuration > Preferences > Windows Settings > Registry), I added the registry entry “RestrictDriverInstallationToAdministrators” to “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint” and set to 0 (DWORD).
Computer Configuration > Policies > Administrative Templates > Printer > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
Computer Configuration > Policies > Administrative Templates > Printer > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Do not show warning or elevation prompt”.]
User Configuration > Policies > Adminstrative Templates > Control Panel > Printers > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
User Configuration > Policies > Administrative Templates > Control Panel > Printers > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Show warning only”.]
Or regedit update, but nothing works, always have a prompt elevation to deploy a printer to a non-admin domain user
There is a solution or I need to move to each user and install manually ?
Thank you !
Best Regards,
Super. Thanks for the update
Hi,
The default requirement now to install the software from the server is administrative access.
There is a registry setting to allow non admin users the ability to install print drivers. It's discussed in several posts in this QA channel
The Windows Point and Print policies really do not matter much anymore other than the print server names.
Hello @Alan Morris ,
Thanks for your answer !
I tried via GPO to allow non admin to install printer (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers.) but it not works, I want to deploy printer with user and not computer.
The policy works only with Computer policy or both ?
I saw many topics and try many solutions but without sucess...
Thanks again !
there is not a group policy for the registry setting.
You will need to add this to all the client systems but you can add this to a policy
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
You can learn more about the new admin defaults in this MS article https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
Thanks
If the clients do not need to connect to shared printers outside of your organization, I highly recommend setting up the print server names in the Computer / Admin Templates / Printers / Point and Print restrictions policy.