How can we allow the installation or update of the printer drivers with Group Policy Objects without the user being administrator after updating kb5005033?

Sandrine Marquis 151 Reputation points
2021-08-11T19:23:43.573+00:00

The update kb5005033 broke the GPOs I use to install/update printer drivers on my domain.
Now users are prompt to enter the credentials of an administrator to install/update their printer driver.
I have more than 400 computers use by as many users in more than 20 locations.

here's the information of the update in question : https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4

I use the following documentation to try to allow the users to install drivers from our reconsize servers with no success.. https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

I'm out of options. any idea?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,852 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,287 questions
Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
648 questions
{count} votes

41 answers

Sort by: Most helpful
  1. jameselees 51 Reputation points
    2021-08-12T15:04:38.693+00:00

    From testing it appears Type 4 - User Mode Drivers are not prompting. The drivers must be on the client computer already from OS image, windows update/WSUS or installed using a tool with admin credentials. The installed printer will get driver settings from the print sever but not the driver itself.

    Problem is even a lot of recent updated drivers are Type 3 and can't find Type 4....

    4 people found this answer helpful.

  2. Saxe 326 Reputation points
    2021-08-12T15:37:39.293+00:00

    we are using Point and Print restrictions via GPO before printernightmare and we are doing it also now so i added the regkey
    "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
    to get back the old behaviour.

    default users can install the printer & driver from two print servers without being admin, if they try to install it from somewhere else UAC will appear

    3 people found this answer helpful.
    0 comments No comments

  3. Sandrine Marquis 151 Reputation points
    2021-08-12T10:34:03.7+00:00

    I don't know what you are talking about when you write v4 drivers. And I'm not trying to relaxe the security.. .I don't want to have to gives admin credentials to hundreds of users for the printers to works on more than 400 computers.

    I use packages drives on my windows servers that I use has print servers. The drivers are from I know locations. the GPOs and printes are configured by me. And I'm not pointing to a unknown locations for those drivers.

    Because of this change I have hundreds of computers in more than 20 locations asking regular users for admins credentials to update printers driver... The worst part is... those drivers are the last available version and don't need to be updated.

    I can't believe I'm the only one with this problem. it's an actual users who is trying to install printers, it's a know server process pushing configuration to know computers using recognized users credentials.

    I won't remote access hundreds of computers to entre admin credentials. it's not a solution.

    2 people found this answer helpful.

  4. Lancaster, Ben 21 Reputation points
    2021-08-12T13:23:24.297+00:00

    Hi, we are also having the same issue. Since installing the kb all users are being prompt to elevate permissions when trying to print. We have logged a support call with Microsoft. There is some information on this link - https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

    2 people found this answer helpful.

  5. JerryS 11 Reputation points
    2021-08-12T16:39:05.233+00:00

    Same issue as everyone else. Big headache. Sounds like Microsoft hasn't even fixed the real security issue either. They released another new CVE just yesterday and the workaround is once again to disable the print spooler: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

    2 people found this answer helpful.
    0 comments No comments