Print Nightmare - More acceptable solution to deploy Printers and Drivers via GPO

A Ska 241 Reputation points
2024-05-23T16:34:09.5066667+00:00

Dears

We want to deploy Printers and Drivers to users via GPO.

We already created Printers GPO to add/remove printers based on the users group membership.

We have Windows 10 22h2 ans Windows 11 23H2 clients and our policies are now configured like this:

User's image

User's image

User's image

This way we should be able to deploy printers to non-admins users; we cannot deploy Typev4 drivers because our devices have really poor type v4 quality drivers.

1- Is the one above an "acceptable" solution?

2- Is there any specific patch to install on Windows 10 22h2/Windows 11/23h2 about Print Nightmare CVE via WSUS? I did not find anything specific.

3- Any other suggestion?

Thanks!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,967 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,467 questions
Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
652 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Karlie Weng 15,761 Reputation points Microsoft Vendor
    2024-05-28T07:08:28.05+00:00

    Hello,

    When the client connects to the printer, it will trigger the driver version detection and compare the files in the C:\Windows\System32\spool\drivers\x64\3 path between the server and the client. If the file version of the client is lower than the file version of the server, the driver on the client will be updated.

    Security updates released on and after July 6, 2021 contain protections for a remote code execution vulnerability in the Windows Print Spooler service (spoolsv.exe) known as “PrintNightmare”, documented in CVE-2021-34527. After installing the July 2021 and later updates, non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.

    You can try to configure the registry with RDITA=0 on the client. The command line is as follows(administrator). When a newer version of the server is detected, you can have permission to install the new version of the driver.

    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments No comments

  2. Alan Morris 1,161 Reputation points
    2024-05-25T04:03:49.46+00:00

    The drivers will need to be Microsoft signed drivers. Vendor or self signed will no longer silently install. Let us know if there are any Windows events, either in PrintService or Application events. Thanks

    0 comments No comments