0

Old printers that have always deployed via Print Management > Deploy via GPO are now not deploying for new profiles.

the only Changes have been to my Settings GPO with regard to PrintNightmare and disallowing point and print... Under Computer>Policies>AdminTemps>Printers>Point and Print Restrictions>

Users can only point and print to these servers> disabled Users can only point and print to machines in their forest > disabled When installing drivers for a new connection > show warning and prompt When updating drivers for an existing connection > show warning and prompt

But New printers do not appear. If I try to deploy the printer via User preferences (instead of the Print management > deploy via GPO) it complains about the driver not being available on the client PC.

kellyredbook
  • 67
  • 9
  • That may be related to the change in default behavior in Point and Print. See: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481 https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872 – Greg Askew Aug 14 '21 at 15:23
  • Okay, confirming now. How do i allow users to only install drivers from the official print server in the org? Do i have to change the default policy back? – kellyredbook Aug 14 '21 at 16:47
  • If you wanted to back out, add the registry value `HKLM\Software\Policies\Microsoft\Windows NT\Printers!PointAndPrintRestrictDriverInstallationToAdministrators` to 0 in a GPO. But you also should configured allowed Point and Print servers. Otherwise anyone can escalate to system in a trivial way. – Greg Askew Aug 14 '21 at 18:01
  • go make than an answer and i'll mark it. This helped me down the right path to solve the problem. – kellyredbook Aug 14 '21 at 23:10

1 Answers1

2

If you wanted to back out, add the registry value HKLM\Software\Policies\Microsoft\Windows NT\Printers!PointAndPrintRestrictDriverInstallationToAdministrators to 0 in a GPO. But you also should configured allowed Point and Print servers. Otherwise anyone can escalate to system in a trivial way

Greg Askew
  • 34,339
  • 3
  • 52
  • 81