This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 66%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
The update kb5005033 broke the GPOs I use to install/update printer drivers on my domain.
Now users are prompt to enter the credentials of an administrator to install/update their printer driver.
I have more than 400 computers use by as many users in more than 20 locations.
here's the information of the update in question : https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4
I use the following documentation to try to allow the users to install drivers from our reconsize servers with no success.. https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
I'm out of options. any idea?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 59%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
I enabled point and print restrictions to my print server, and now end users are able to click the Update Driver button themselves without a UAC prompt.
can you share with us what exactly you've done to enable this properly?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 98%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Yes, but my users get their printers via login script, so they never see the prompt as it is done by applying the GPO before they get a desktop screen. This is a major issue for us and created mass havoc. Even if they try to install the printer manually from approved print server via point and print, they get a prompt for admin credentials to install the drivers. The only workaround I have figured out at this point is to remove KB5003033. MICROSOFT PLEASE RESPOND AND FIX!!!!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 8%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
I've been making "some" progress on this, although its painful and annoying.
I went to our print server and updated every printer to use V4 / Type 4 drivers. But that didn't seem to totally fix the issue. Users could now click "add printer" and browse our AD and get a printer. But we Deploy printers via GPO.... Those were still messed up.
On one printer that had an updated driver, I undeployed it. GPUPDATE /FORCE on a workstation. The printer still showed on the workstation, but faded out. Then I deployed the printer to the GPO of that workstation. GPUPDATE /FORCE again. The faded printer was still there. I stopped the Print Spooler on the workstation. The faded printer was still there. Started the spooler. Waited a minute or so, that faded printer lit up. clicked it and the "Device driver unavailable" message was gone. User could print.
HOWEVER! I looked at the Printer Properties of the object, and got prompted to install Point and Print drivers. I declined. Maybe I should have agreed. But user could still print.
I'm not sure if this is a solution or a work around. Definitely not a solution for 500 users.
Reviewing kb5005652 will offer some solutions.
One of them is to deploy a new Registry key which will UNDO the restriction.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 0 (REG_DWORD)
This way, it will all keep on working the way it was before KB5005033.
BE AWARE. This will also keep the Vulnerability active.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 52%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Do you make this registry addition on the Printer Server or at the user's end (e.g. Local device or Remote Desktop Server)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 66%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
Add it to your endpoints/user's end. Tried on a printer server to confirm, and you'll basically have to roll out the GPO to add this registry key for multiple devices.
Do follow the mitigations steps outlined in https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872, but you will still be vulnerable.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 40%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWC%3C/text%3E%3C/svg%3E)
This worked for me. Rolled the registry tweak out via GPO.
We will be using this fix until we change the way we install printers.
Maybe via papercut MF going forward.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 62%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEC%3C/text%3E%3C/svg%3E)
Since KB5005033 caused some issues with our print servers requiring admin creds on installs we applied the following that allows users to install new printers from our print server without admin creds then we applied a scheduled task right after install to change the reg edit back to requiring admin creds on non domain printer installs and keeps the printer vulnerability fix applied.
Create a GPO
User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0
Add these Reg Keys as well to same location:
DWORD UpdatePromptSettings /v 0
DWORD NoWarningNoElevationOnInstall /v0
Scheduled Task will toggle admin creds required after printer install from print server; run as a cmd
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 8%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
I abandoned my print servers and deployed local queues via SCCM
[Driver App - System Context - No Deployment]
Install script:
cscript c:\windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -m "Xerox GPD PCL6 V5.810.8.0" -h "%~dp0UNIV_5.810.8.0_PCL6_x64_Driver.inf" -i "%~dp0UNIV_5.810.8.0_PCL6_x64_Driver.inf\x3UNIVX.inf"
Detection:
cscript c:\windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -l | findstr /c:"Xerox GPD PCL6 V5.810.8.0,3,Windows x64"
[Port App - System Context - No Deployment]
Install script:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnport.vbs" -a -me -r v1_10.10.10.10 -h 10.10.10.10 -o raw
netsh advfirewall firewall set rule group="SNMP Trap" new enable=Yes
Detection:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnport.vbs" -l | findstr /c:"Port name v1_10.10.10.10"
[Queue App - User Context - User Deployment - Dependency: driver and port apps]
Install script:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs" -a -p "HR Printer" -m "Xerox GPD PCL6 V5.810.8.0" -r "10.10.10.10"
Detection:
cscript "C:\Windows\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs" -l | findstr /c:"Printer name HR Printer"
Kind of crazy to just abandon our print servers but at least now we have a secure and workable foundation to migrate to.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 28.000000000000004%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
I have a creative way to do it in SCCM--this is for a single printer. It basically migrates the Add Printer function to software center. I wrapped the powershell script in winforms for a nice user friendly feel, and even used an older way to add printers that can be wrapped in VBscript or any other language.
PDF describes how to test it and deploy it--change the txt file to a .ps1 to use it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 15%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
I prefer a more flexible setup in the domain, at least this one. It's a bit more secure :D
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"Restricted"=dword:00000001
"TrustedServers"=dword:00000000
"ServerList"=""
"InForest"=dword:00000001
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:00000002
"RestrictDriverInstallationToAdministrators"=dword:00000000
and open in startup script
explorer \pathtoprinter
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 92%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU2%3C/text%3E%3C/svg%3E)
This has me wondering, why does Microsoft not fix the vulnerability in the Print Spooler instead of blocking users from installing print drivers?
Or is this only a temporary mitigation, and we will see an actual fix for the print spooler at a later date?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 25%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Seems the reg value of 1 breaks some of my connections (2x are to a 2016 box). The others stay (all 2008 r2) valid after the reg value 0, reboot or gpupdate and reg value of 1.
Any further fixes?
I see its also affecting server 2019 RDS.. Any pointers for this?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 39%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Beware of the new RpcAuthnLevelPrivacyEnabled setting turned on by default on servers in September. This may break some printing (Osx) (especially if you haven't patched clients since January).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 54%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Testing this solution in our environment which is Windows Server 2012/2016 and Windows 10 1909/20H2. We created the SCCM package but its not mapping the printer for user. Its installing the printer driver but even after a restart the printer is not mapped for the user. All of our printers are network printers on the print server(s). Looking through this is running as admin so SYSTEM context and yes I see the script is suppose to add the printer per the computer, so all users. But its not working for network based printers. Network based printers on a print server have always been per user.
'
Anyone else seeing this same issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 48%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
I'm having the same issue. We have tested the registry edit
(HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint)
RestrictDriverInstallationToAdministrators = 0 (REG_DWORD)
DWORD UpdatePromptSettings /v 0
DWORD NoWarningNoElevationOnInstall /v0
The edit is working on all the users we've tested. However, does the registry edit open up a hole for the Print Nightmare exploit? We disabled the domain policy that allowed users to install printers due to the Print Nightmare exploit. Are we now putting our environment at risk again?
Hey Lamar,
Good question which is why I added the scheduled task to run after. This scheduled task should be added to the GPO and it will re enable the exploit so you are protected. Basically the reg key makes it able for the user to install the printer when that action is taken and renables the security to protect against the printer nightmare.
Scheduled Task will toggle admin creds required after printer install from print server; run as a cmd
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
From testing it appears Type 4 - User Mode Drivers are not prompting. The drivers must be on the client computer already from OS image, windows update/WSUS or installed using a tool with admin credentials. The installed printer will get driver settings from the print sever but not the driver itself.
Problem is even a lot of recent updated drivers are Type 3 and can't find Type 4....
Sorry but in my environement having the driver in the os image isn't an option.
I won't reinstall 400 computers... and add hundreds of possible printer drivers... and printer model are changing so fast that it's impossible to keep up.
and what happen if the driver needs to be updated...
It's not funny at all and not a realistic solution.
Now my users are loosing their printers that are already configured.
Check to see if you can change driver to a Type 4 - We found this works just changing the Driver for Xerox to Type 4 vs Type 3
And to clarify that's changing the driver type on the print server to Type 4 Driver.
I'll look into this. I'll try to figure out how to change this. thank you.
And Type 4 drivers need to be digitally signed. In one case for our Xerox printer, we have an older Win2008 print server (being held up from retirement due to legacy issues) that doesn't offer a signed version of the driver from Xerox. The 2012 and 2016 server version seems to be signed.
Glad to hear some are making some headway on this. Wish Microsoft would publish this sort of data to help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 62%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Does changing to Type 4 drivers work?
We are not getting much help from Microsoft via the support call we have logged.
Somewhat...... At least in my environment. We have a Win2012 print server with all the printers installed via IP. We DEPLOY the printers to Computer-GPO to the GPO of each department. This morning I changed every driver on every Xerox printer to the V4 version of the driver.
I do a GPUPDATE /FORCE on the workstation of a user who is complaining. After signing back in, and waiting a few moments, I do eventually see the printer. But I also see lots of other printers I clearly didn't deploy, or sometimes 3-4 versions of the same printer. This will make it difficult for our users do set which printer they want as default. Now, I know that Win10 now sets the default as the last printer you printed to. But sometimes if a user is in Word, and clicks File, Print, they'll see dozens of printer objects now, instead of the 4 or 5 they had before. And to be honest, I'm not sure even this works 100%
The ONLY true solution to get a user to print is to click "ADD PRINTER" and then browse your Active Directory for the printer, and then install it. But that's a manual process and not deployed via GPO.
I wonder if the multiple printers are using the same driver on the type 4 almost like shared driver to those printers?
We switched to the type 4 for those that we could find the driver for but are having issues actually printing. The drivers load with no UAC but job does not print...
We've called Xerox but they said it's a network issue. Will be trying to call back and get another tech.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 36%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Seems to be my version 4 drivers also from the few tickets I have seen so far. I know this will get worse soon, but uninstalling the windows update from the client pc is the only thing i've seen work yet.
I have about 1200-1500 printers in my enterprise and I have a feeling Monday is not going to be a good day.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 92%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
we are using Point and Print restrictions via GPO before printernightmare and we are doing it also now so i added the regkey
"HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
to get back the old behaviour.
default users can install the printer & driver from two print servers without being admin, if they try to install it from somewhere else UAC will appear
I don't know what you are talking about when you write v4 drivers. And I'm not trying to relaxe the security.. .I don't want to have to gives admin credentials to hundreds of users for the printers to works on more than 400 computers.
I use packages drives on my windows servers that I use has print servers. The drivers are from I know locations. the GPOs and printes are configured by me. And I'm not pointing to a unknown locations for those drivers.
Because of this change I have hundreds of computers in more than 20 locations asking regular users for admins credentials to update printers driver... The worst part is... those drivers are the last available version and don't need to be updated.
I can't believe I'm the only one with this problem. it's an actual users who is trying to install printers, it's a know server process pushing configuration to know computers using recognized users credentials.
I won't remote access hundreds of computers to entre admin credentials. it's not a solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 92%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
You are not the only one with this issue, I have the same. It seems to only be a particular driver that is affected by the issue. Users a prompted to update this driver but the drivers haven't been changed.
You're not alone. Some MS update has blown up our print servers too. Its also very sporadic. I'm also seeing MULTIPLE versions of the same printer listed in Devices and Printers, and they all say "Unknown Device Driver". When you go to File, Print, the printers aren't even there.
If you do see them, you get prompted to install the driver. There's a registry hack to let the non-admin install the driver, but that's a bandaid, not a solution.
I've updated drivers for the printers on my print server hoping that the drivers would be trusted, but it's not really working through pushed printers.
I tried to add the GPO to only let Point and Print printers print through a trusted print server, but that didn't seem to help.
I hope we'll find a solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 28.000000000000004%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
V4 or Mode 4 drivers are the newest type of print driver for MS Print Servers. I've been avoiding them for years but now they are a necessity. Depending on your brand of printers/copiers, you may or may not have access to V4 drivers right now. I cannot find Brother or HP mode 4 drivers, however my BizHubs and Kyoceras are now using V4 and no more admin prompt, etc. Nothing. I just changed them under the shared object on the print server and it pushes it to the workstations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 6%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Im right there with you!
You are not alone. I am having this issue also on my 2019 server for Papercut.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 37%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I was able to find HP type-4 and class drivers by using the Windows Catalog. Specifically, Class Drives which are supposed to be Type-4 but they still do not work correctly. I've used type-4 drivers provided by the vendor and available in the Windows Catalog for clients and some printers simply do not work. After dozens of experiments, I'm concluding that as of this writing the type-4 driver approach is not reliable and with the MS patch requiring admin credentials the print manager has been deprecated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 57.99999999999999%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Experiencing the same issue with 2022 server and Papercut. Clients are getting prompted to update printer drivers, but nothing has changed.
Setting the group policy to allow non admin installation works, but we wanted the UAC prompt and even though we have "show warning and elevation prompt" set to enable for installing drivers, the prompt does not happen.
Has anybody found out/fixed why clients are getting prompt for drivers when they shouldn't be?
Hi, we are also having the same issue. Since installing the kb all users are being prompt to elevate permissions when trying to print. We have logged a support call with Microsoft. There is some information on this link - https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
Keep us up to date. I tried the solution on the link you just gave us with no success.
I'll try to communicate with the compagny to check if it's a problem with certain drivers and not windows.
And I'll come back here if I find anything.
I hope you get a solution from microsft because here, it's gettind worst. now of my printers are installing now on new setup and those own were install are disapearing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 87%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETE%3C/text%3E%3C/svg%3E)
Seems to work *) in my limited test. I did also follow https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/
It might be important to restrict point and print to specific servers, if you want a little bit of security.
. *) the "RestrictDriverInstallationToAdministrators" - registry fix from the link
Still pursuing with Microsoft via a support call. Initially being told this is a now issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 76%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Same issue as everyone else. Big headache. Sounds like Microsoft hasn't even fixed the real security issue either. They released another new CVE just yesterday and the workaround is once again to disable the print spooler: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958