Unable to deploy printers via GPO User Configuration after Windows update KB5005033 got installed ("Do you trust this printer?" issue)
Recent (2021-08-10) KB5005033 Windows update actually brings this issue back to life by forcing admins only to install printer drivers (and thus, not allowing printer distribution via User Configuration GPO), quote:
...Updates the default installation privilege requirement so that you must be an administrator to install drivers when using Point and Print...
Suddenly, our users get these popups (only on computers having KB5005033 update installed):
To make it (deploying shared printers in Windows domain via User Configuration GPO) work again...
There are some prerequisities first in Computer Configuration - Policies - Administrative Templates - Printers
(we used to have these enabled a long time ago already):
-
Point and Print Restrictions
:
- must be
ENABLED
-
Do not show warning or elevation prompt
must be set for bothWhen installing drivers for a new connection
andWhen updating drivers for an existing connection
. TheEnter fully qualified server names separated by semicolons
must be filled with proper nameservers (e.g. myPrintserver.mydomain.com;myOtherprintServer.mydomain.com)
-
Package Point and print - Approved servers
:
- is
ENABLED
- contains list of same servers as above
The actual workaround* for KB5005033 issue:
-
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
is set to0
on affected machines - can be done easily via GPO, too:
* This is a workaround, not a fix, because it makes your printservers vulnerable again (which is what KB5005033 tries to "fix" in the first place) - but we do need to print, right... ?
Anybody knows how to fix this properly? (without making printesrvers vulnerable)
Thanks a lot.
Related issues:
- How can I get rid of the "Do you trust this printer" message box and add my printer via GPO?
Microsoft published a summary of various solutions we can use to manage the new behavior.
Specifically:
Install print drivers when the new default setting is enforced
If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers:
Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.
Include the necessary printer drivers in the OS image.
Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.
Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.
[...]
Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.
[...]
I recommend you to deploy the printer drivers to your computers, then, remove all deployed Point and Print Group Policies and Package Point and Print Group Policies, as they are not required anymore, and do not set the RestrictDriverInstallationToAdministrators
registry value because this will allow a vulnerability on your clients/servers.
Don't forget that each Windows device where the Print Spooler is enabled is vulnerable if you set the RestrictDriverInstallationToAdministrators
registry value to 0
, it's not about the Print Servers only, clients computers and other Windows servers are impacted too!
Be aware that there is another vulnerability in the Print Spooler at the moment, patch is still pending: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958
Disabling the Print Spooler wherever possible is a good rule of thumb...