Deploying printers to users via Group Policy stopped working

davideaton3 · August 24, 2021, 8:04pm

I’ve been pulling my hair out over here for a couple days when I updated the print drivers on our print server and suddenly…users were being prompted for admin credentials to download the updated drivers and were therefore unable to print! Normally they just grabbed the new ones automatically with no need for admin intervention. After following instructions on many (older) articles, and being convinced I was doing everything right… I discovered that KB5005652 had been recently released which specifically disables any non-admins from installing print drivers, despite point-and-print settings, due to the “PrintNightmare” vulnerabilities. Check out the article for an explanation and some workarounds.

Just wanted to share this on the off chance it saves someone else a lot of headache! Or…just don’t update your printer drivers

codatory · August 24, 2021, 8:50pm

Thanks a bunch! I know a few people have been struggling with this latest update.

If you don’t mind sharing, did a particular strategy work for you?

davideaton3 · August 24, 2021, 9:39pm

Yeah! The TL;DR is I applied a registry edit via GPO to turn off “RestrictDriverInstallationToAdministrators”. To mitigate some of the risk associated with that, I added the FQDN of our print server to “Package Point and print - Approved servers” and “Point and Print Restrictions” under Computers and Users in Group Policy, so that users can only install printer drivers from our server.

Here’s the the detailed version:

Via Group Policy (Computer Configuration > Preferences > Windows Settings > Registry), I added the registry entry “RestrictDriverInstallationToAdministrators” to “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint” and set to 0 (DWORD).
Enabled the following in a GPO:
- Computer Configuration > Policies > Administrative Templates > Printer > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
- Computer Configuration > Policies > Administrative Templates > Printer > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Do not show warning or elevation prompt”.]
- User Configuration > Policies > Adminstrative Templates > Control Panel > Printers > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
- User Configuration > Policies > Administrative Templates > Control Panel > Printers > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Show warning only”.]
You may also want to confirm that you have “Computer Configuration > Policies > Administrative Templates > System > Driver Installation > Allow non-adminstrators to install drivers for these device setup classes” set up with {4658ee7e-f050-11d1-b6bd-00c04fa372a7} and {4d36e979-e325-11ce-bfc1-08002be10318}, which are both printer-related. But if your deployed printers were working before that update went out, then you may have already had this set!

Hope this is helpful!

Jonathan_Parsons · August 26, 2021, 1:49pm

Yes, that was a surprise last week. We use PaperCut MF, so I deployed the PaperCut Print Deploy and switched everyone from point and print to Print Deploy.