question

SandrineMarquis-3090 avatar image
12 Votes"
SandrineMarquis-3090 asked ErikCalzada-4383 commented

How can we allow the installation or update of the printer drivers with Group Policy Objects without the user being administrator after updating kb5005033?

The update kb5005033 broke the GPOs I use to install/update printer drivers on my domain.
Now users are prompt to enter the credentials of an administrator to install/update their printer driver.
I have more than 400 computers use by as many users in more than 20 locations.

here's the information of the update in question : https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4

I use the following documentation to try to allow the users to install drivers from our reconsize servers with no success.. https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

I'm out of options. any idea?

windows-serverwindows-group-policywindows-server-print
· 18
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reviewing kb5005652 will offer some solutions.
One of them is to deploy a new Registry key which will UNDO the restriction.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 0 (REG_DWORD)

This way, it will all keep on working the way it was before KB5005033.
BE AWARE. This will also keep the Vulnerability active.

3 Votes 3 ·

Do you make this registry addition on the Printer Server or at the user's end (e.g. Local device or Remote Desktop Server)?

0 Votes 0 ·

Add it to your endpoints/user's end. Tried on a printer server to confirm, and you'll basically have to roll out the GPO to add this registry key for multiple devices.

Do follow the mitigations steps outlined in https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872, but you will still be vulnerable.

0 Votes 0 ·

This worked for me. Rolled the registry tweak out via GPO.
We will be using this fix until we change the way we install printers.
Maybe via papercut MF going forward.

0 Votes 0 ·

This has me wondering, why does Microsoft not fix the vulnerability in the Print Spooler instead of blocking users from installing print drivers?

Or is this only a temporary mitigation, and we will see an actual fix for the print spooler at a later date?

2 Votes 2 ·

I've been making "some" progress on this, although its painful and annoying.

I went to our print server and updated every printer to use V4 / Type 4 drivers. But that didn't seem to totally fix the issue. Users could now click "add printer" and browse our AD and get a printer. But we Deploy printers via GPO.... Those were still messed up.

On one printer that had an updated driver, I undeployed it. GPUPDATE /FORCE on a workstation. The printer still showed on the workstation, but faded out. Then I deployed the printer to the GPO of that workstation. GPUPDATE /FORCE again. The faded printer was still there. I stopped the Print Spooler on the workstation. The faded printer was still there. Started the spooler. Waited a minute or so, that faded printer lit up. clicked it and the "Device driver unavailable" message was gone. User could print.

HOWEVER! I looked at the Printer Properties of the object, and got prompted to install Point and Print drivers. I declined. Maybe I should have agreed. But user could still print.

I'm not sure if this is a solution or a work around. Definitely not a solution for 500 users.

1 Vote 1 ·

Since KB5005033 caused some issues with our print servers requiring admin creds on installs we applied the following that allows users to install new printers from our print server without admin creds then we applied a scheduled task right after install to change the reg edit back to requiring admin creds on non domain printer installs and keeps the printer vulnerability fix applied.

Create a GPO
User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0

Add these Reg Keys as well to same location:
DWORD UpdatePromptSettings /v 0
DWORD NoWarningNoElevationOnInstall /v0

Scheduled Task will toggle admin creds required after printer install from print server; run as a cmd
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

1 Vote 1 ·

I enabled point and print restrictions to my print server, and now end users are able to click the Update Driver button themselves without a UAC prompt.

0 Votes 0 ·

can you share with us what exactly you've done to enable this properly?

5 Votes 5 ·

Yes, but my users get their printers via login script, so they never see the prompt as it is done by applying the GPO before they get a desktop screen. This is a major issue for us and created mass havoc. Even if they try to install the printer manually from approved print server via point and print, they get a prompt for admin credentials to install the drivers. The only workaround I have figured out at this point is to remove KB5003033. MICROSOFT PLEASE RESPOND AND FIX!!!!!!

5 Votes 5 ·
Show more comments
DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered DonPickard-7259 commented

edit: are you using v4 drivers?
or are you trying to relax the security?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

there are a number of suggestions here, may be useful?

https://groups.google.com/g/patchmanagement/c/e_DIsRk4V8U

1 Vote 1 ·
SandrineMarquis-3090 avatar image
1 Vote"
SandrineMarquis-3090 answered Surge-5679 commented

I don't know what you are talking about when you write v4 drivers. And I'm not trying to relaxe the security.. .I don't want to have to gives admin credentials to hundreds of users for the printers to works on more than 400 computers.

I use packages drives on my windows servers that I use has print servers. The drivers are from I know locations. the GPOs and printes are configured by me. And I'm not pointing to a unknown locations for those drivers.

Because of this change I have hundreds of computers in more than 20 locations asking regular users for admins credentials to update printers driver... The worst part is... those drivers are the last available version and don't need to be updated.

I can't believe I'm the only one with this problem. it's an actual users who is trying to install printers, it's a know server process pushing configuration to know computers using recognized users credentials.

I won't remote access hundreds of computers to entre admin credentials. it's not a solution.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You are not the only one with this issue, I have the same. It seems to only be a particular driver that is affected by the issue. Users a prompted to update this driver but the drivers haven't been changed.

1 Vote 1 ·

You're not alone. Some MS update has blown up our print servers too. Its also very sporadic. I'm also seeing MULTIPLE versions of the same printer listed in Devices and Printers, and they all say "Unknown Device Driver". When you go to File, Print, the printers aren't even there.

If you do see them, you get prompted to install the driver. There's a registry hack to let the non-admin install the driver, but that's a bandaid, not a solution.

I've updated drivers for the printers on my print server hoping that the drivers would be trusted, but it's not really working through pushed printers.

I tried to add the GPO to only let Point and Print printers print through a trusted print server, but that didn't seem to help.

1 Vote 1 ·

I hope we'll find a solution.

0 Votes 0 ·

V4 or Mode 4 drivers are the newest type of print driver for MS Print Servers. I've been avoiding them for years but now they are a necessity. Depending on your brand of printers/copiers, you may or may not have access to V4 drivers right now. I cannot find Brother or HP mode 4 drivers, however my BizHubs and Kyoceras are now using V4 and no more admin prompt, etc. Nothing. I just changed them under the shared object on the print server and it pushes it to the workstations.

0 Votes 0 ·

I was able to find HP type-4 and class drivers by using the Windows Catalog. Specifically, Class Drives which are supposed to be Type-4 but they still do not work correctly. I've used type-4 drivers provided by the vendor and available in the Windows Catalog for clients and some printers simply do not work. After dozens of experiments, I'm concluding that as of this writing the type-4 driver approach is not reliable and with the MS patch requiring admin credentials the print manager has been deprecated.

0 Votes 0 ·

Im right there with you!

0 Votes 0 ·

You are not alone. I am having this issue also on my 2019 server for Papercut.

0 Votes 0 ·
SandrineMarquis-3090 avatar image
0 Votes"
SandrineMarquis-3090 answered

You're probably right. I was thinking people were complaining after the update and other were not because the update wasn't applied yet. It's probably the driver. Now the problem is who to fixed this when the problem comes from différents drivers... if this is the latest version of those specific drivers.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LancasterBen-7330 avatar image
2 Votes"
LancasterBen-7330 answered LancasterBen-7330 commented

Hi, we are also having the same issue. Since installing the kb all users are being prompt to elevate permissions when trying to print. We have logged a support call with Microsoft. There is some information on this link - https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Still pursuing with Microsoft via a support call. Initially being told this is a now issue.

1 Vote 1 ·

Keep us up to date. I tried the solution on the link you just gave us with no success.
I'll try to communicate with the compagny to check if it's a problem with certain drivers and not windows.
And I'll come back here if I find anything.

0 Votes 0 ·

I hope you get a solution from microsft because here, it's gettind worst. now of my printers are installing now on new setup and those own were install are disapearing.

0 Votes 0 ·

Seems to work *) in my limited test. I did also follow https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/

It might be important to restrict point and print to specific servers, if you want a little bit of security.

. *) the "RestrictDriverInstallationToAdministrators" - registry fix from the link

0 Votes 0 ·
jameselees-0450 avatar image
2 Votes"
jameselees-0450 answered davemacholz-6289 commented

From testing it appears Type 4 - User Mode Drivers are not prompting. The drivers must be on the client computer already from OS image, windows update/WSUS or installed using a tool with admin credentials. The installed printer will get driver settings from the print sever but not the driver itself.

Problem is even a lot of recent updated drivers are Type 3 and can't find Type 4....

· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

And Type 4 drivers need to be digitally signed. In one case for our Xerox printer, we have an older Win2008 print server (being held up from retirement due to legacy issues) that doesn't offer a signed version of the driver from Xerox. The 2012 and 2016 server version seems to be signed.

3 Votes 3 ·

Glad to hear some are making some headway on this. Wish Microsoft would publish this sort of data to help.

0 Votes 0 ·

Sorry but in my environement having the driver in the os image isn't an option.
I won't reinstall 400 computers... and add hundreds of possible printer drivers... and printer model are changing so fast that it's impossible to keep up.

and what happen if the driver needs to be updated...

It's not funny at all and not a realistic solution.

Now my users are loosing their printers that are already configured.

1 Vote 1 ·

Check to see if you can change driver to a Type 4 - We found this works just changing the Driver for Xerox to Type 4 vs Type 3

2 Votes 2 ·

And to clarify that's changing the driver type on the print server to Type 4 Driver.

0 Votes 0 ·

I'll look into this. I'll try to figure out how to change this. thank you.

0 Votes 0 ·
Show more comments

Seems to be my version 4 drivers also from the few tickets I have seen so far. I know this will get worse soon, but uninstalling the windows update from the client pc is the only thing i've seen work yet.

I have about 1200-1500 printers in my enterprise and I have a feeling Monday is not going to be a good day.

1 Vote 1 ·
Saxe6769 avatar image
3 Votes"
Saxe6769 answered

we are using Point and Print restrictions via GPO before printernightmare and we are doing it also now so i added the regkey
"HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
to get back the old behaviour.

default users can install the printer & driver from two print servers without being admin, if they try to install it from somewhere else UAC will appear


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JerryS-5683 avatar image
1 Vote"
JerryS-5683 answered

Same issue as everyone else. Big headache. Sounds like Microsoft hasn't even fixed the real security issue either. They released another new CVE just yesterday and the workaround is once again to disable the print spooler: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnCarr-5987 avatar image
0 Votes"
JohnCarr-5987 answered

Having the same issue here, but possibly even worse.

Users are getting prompted "Do you trust this printer?" and then have to click "Install Drivers". But they can't unless they're an admin. As a work around, we do that registry hack to let non-admins install drivers. But we're 500 users, 11 locations, and 50 or so printers deployed via GPO from 2 print servers. Been working fine for YEARS, and now all of a sudden, it's a major headache.

The GPO issue also seems to be creating multiple versions of the same printer, of which none of them can be printed to because when you click them, the status says, "Driver is unavailable".

So now we have some computers that have 60-70 non working print objects listed in Devices and Printers, when last week, there were probably only 6 working printers listed. even if we get a working printer, how do we clean up this mess of 10x versions of the same printer.

Whew, MS has messed up big time here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaveMcGill-5650 avatar image
1 Vote"
DaveMcGill-5650 answered

I am experiencing the same issues here and creating a massive headache. We deploy printers via GPO login script. I have the GPO and the registry key below added to a test machine, but still getting prompted "Do you trust this printer" administrators don't get that prompt.

Point and Print restrictions via GPO before printernightmare and we are doing it also now so i added the regkey
"HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

Because we are using login scripts, the user login hangs for 10+ minutes before allowing the user in. PLEASE HELP!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThomasP313 avatar image
1 Vote"
ThomasP313 answered KenOConnor-7858 commented

Same issue for me.

Tried to totally disable "Point and Print Restrictions" (both computer and user part, because of this).
For some users, who already have printers installed, some printers ask to update the driver and then prompt for admin credentials.
For some users, no issue with installed printers.

But if I don't have any printer and try to install one, user is prompted for admin credentials, even if I installed the printer driver with admin account before (pnputil + add-printerdriver).


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have a bunch of HP printers - so what's the solution for them? Not finding any v4 drivers for them. In the process of testing the Kyocera v4 drivers.

1 Vote 1 ·

I just finished updating all of my BizHub and Kyocera drivers with 100% success. I've found ZERO regarding HP v4 drivers. This isn't good.

0 Votes 0 ·

After many tests, we've found only 2 solutions.
One will be applied very soon, the second after some tests because of the change.

Will be applied very soon :
Apply the part "Partial mitigations for environments that cannot use the default behavior" > KB5005652
- RestrictDriverInstallationToAdministrators to 0
- Permit only serveurs that we trust (domain.local)
- This solution works with V3 drivers (CANON)

Will be applied after some tests :
- RestrictDriverInstallationToAdministrators to 1
- Change CANON drivers to V4
- This solution works, but need a lot of tests before to change drivers. We lose a lot of print options with V4 drivers

Hope it could help someone.

1 Vote 1 ·

@ThomasP313 Your second options is where we're at, and we're finding out that Kyocera V4 drivers take long to print large documents and due to the nature of our business, that's not acceptable for us.

It really looks like printer makers need to re-write their V4 drivers to be as useful as V3 drivers.

0 Votes 0 ·

first konica does offer v4 drivers but you get basic print functionality from it. if you need user box or stapler and other options v4 is not for you

HP they make a UPD so really is it one driver.

not really sure what workaround really works as i am still fighting the disable admin prompts as for most it still prompts

had found some other solutions that talk about authorizing the print servers as point and print package allow servers but have had hit or miss luck with that as well.

MS really needs to clean up their mess

0 Votes 0 ·