This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 99%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Dears
We want to deploy Printers and Drivers to users via GPO.
We already created Printers GPO to add/remove printers based on the users group membership.
We have Windows 10 22h2 ans Windows 11 23H2 clients and our policies are now configured like this:
This way we should be able to deploy printers to non-admins users; we cannot deploy Typev4 drivers because our devices have really poor type v4 quality drivers.
1- Is the one above an "acceptable" solution?
2- Is there any specific patch to install on Windows 10 22h2/Windows 11/23h2 about Print Nightmare CVE via WSUS? I did not find anything specific.
3- Any other suggestion?
Thanks!
1- Not yet, you are missing one more GPO setting where you should list your approved driver package source servers, which should list only your trusted Print servers you have installed the desired drivers on for distribution.
Computer Configuration\Administrative Templates\Printers\Package Point and print - Approved servers
2- Print Nightmare was addressed back in 2021 so if your computer are regularly patched with Microsoft CU monthly patches they will already be patched as per (Print Nightmare CVE-2021-34481)
3- Ensure RBAC controls are in place to properly secure access and permissions to your print servers to ensure only trusted admins can login and administer those servers, additionally only install fully signed drivers on your print servers.
The GPO deployment method only works with Package-aware v3 signed print drivers. You can tell if your drivers are of this type by looking in your print server management console after installing the drivers on the print server, under the drivers section check the "Packaged" column, it must say "true".
Then ensure additional RBAC controls in your AD are applied to ensure only specified admins can administer your security groups that are linked to the GPP settings to deploy the printers.
Hello,
When the client connects to the printer, it will trigger the driver version detection and compare the files in the C:\Windows\System32\spool\drivers\x64\3 path between the server and the client. If the file version of the client is lower than the file version of the server, the driver on the client will be updated.
Security updates released on and after July 6, 2021 contain protections for a remote code execution vulnerability in the Windows Print Spooler service (spoolsv.exe) known as “PrintNightmare”, documented in CVE-2021-34527. After installing the July 2021 and later updates, non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
You can try to configure the registry with RDITA=0 on the client. The command line is as follows(administrator). When a newer version of the server is detected, you can have permission to install the new version of the driver.
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
If the Answer is helpful, please click "Accept Answer" and upvote it.
The drivers will need to be Microsoft signed drivers. Vendor or self signed will no longer silently install. Let us know if there are any Windows events, either in PrintService or Application events. Thanks