Join Log in
Score:1
avatar Server

Unable to deploy printers via GPO User Configuration after Windows update KB5005033 got installed ("Do you trust this printer?" issue)

si flag
crysman

Recent (2021-08-10) KB5005033 Windows update actually brings this issue back to life by forcing admins only to install printer drivers (and thus, not allowing printer distribution via User Configuration GPO), quote:

...Updates the default installation privilege requirement so that you must be an administrator to install drivers when using Point and Print...

Suddenly, our users get these popups (only on computers having KB5005033 update installed):

Do you trust this printer? issue

To make it (deploying shared printers in Windows domain via User Configuration GPO) work again...

There are some prerequisities first in Computer Configuration - Policies - Administrative Templates - Printers (we used to have these enabled a long time ago already):

  1. Point and Print Restrictions:
  • must be ENABLED
  • Do not show warning or elevation prompt must be set for both When installing drivers for a new connection and When updating drivers for an existing connection. The Enter fully qualified server names separated by semicolons must be filled with proper nameservers (e.g. myPrintserver.mydomain.com;myOtherprintServer.mydomain.com)
  1. Package Point and print - Approved servers:
  • is ENABLED
  • contains list of same servers as above

GPO prerequisities

The actual workaround* for KB5005033 issue:

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators is set to 0 on affected machines - can be done easily via GPO, too:

The workaround to bypass KB5005033

* This is a workaround, not a fix, because it makes your printservers vulnerable again (which is what KB5005033 tries to "fix" in the first place) - but we do need to print, right... ?

Anybody knows how to fix this properly? (without making printesrvers vulnerable)

Thanks a lot.

Related issues:

14419
2 + 0
Score:2
Swisstone avatar Server
cn flag
Swisstone

Microsoft published a summary of various solutions we can use to manage the new behavior.

Specifically:

Install print drivers when the new default setting is enforced

If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers:

  • Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.

  • Include the necessary printer drivers in the OS image.

  • Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.

  • Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.

[...]
Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.
[...]

I recommend you to deploy the printer drivers to your computers, then, remove all deployed Point and Print Group Policies and Package Point and Print Group Policies, as they are not required anymore, and do not set the RestrictDriverInstallationToAdministrators registry value because this will allow a vulnerability on your clients/servers.

Don't forget that each Windows device where the Print Spooler is enabled is vulnerable if you set the RestrictDriverInstallationToAdministrators registry value to 0, it's not about the Print Servers only, clients computers and other Windows servers are impacted too!

Be aware that there is another vulnerability in the Print Spooler at the moment, patch is still pending: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

Disabling the Print Spooler wherever possible is a good rule of thumb...

0 + 6
si flag
crysman
Thanks for information provided, we are cancelling shared printer deployments via user configuration and migrating to direct printer distribution via computer configuration (so fileservers are protected). Print spooler service disabled on fileservers is a real pain, but OK, must be done. One question, though, anybody knows what it actually does in the system when confirming the popup with the admin credentials? Isn't it just modifying the same registry? (I have not tested it yet this way)
0
Reply
si flag
crysman
and second question is: why the hack Microsoft is forcing this on printers and drivers that had been deployed on the machines already? I would understand it in case of new printer adding attempts, but on printers that have already been there... I do not see the sense in it... anyody does?
0
Reply
Swisstone avatar
cn flag
Swisstone
@crysman Clicking on the `Install driver` button and providing admin credentials installs the printer driver. It will not modify the registry value: you'll have to provide admin credentials again when installing another printer driver. Regarding already installed drivers: the behavior is not consistent, it looks like it depends on the printer driver: some of them will not be detected as a new driver and will continue working without asking anything.
0
Reply
si flag
crysman
Regarding to _disable Print Spooler_ "solution" everywhere - if I do it not only on servers, but on clients, too... how the people will print? This is like saying "in order to be safe on roads, stop using them" - it's unrealistic...
0
Reply
si flag
crysman
It seems like the issues depend on whether it is Type-3 or Type-4 printer driver, not certain yet, more tests needed. For those of you also leaving _User Configuration_ as we do and migrating to _Computer Configuration_ printer deployment, be sure to have Type-3 drivers when using TCP/IP printer deployment, since Type-4 is not supported https://www.thewindowsclub.com/unknown-printer-driver-error-0x80070705
0
Reply
si flag
crysman
I've made the tests and now it's seems to be clear... see around here https://serverfault.com/a/1076552/393046
0
Reply
Score:1
avatar Server
si flag
crysman

I've found out two possible solutions, both of them do not provoke any UAC/admin rights prompt:

  1. Switch to Computer Configuration deployment instead (CC -> Pr -> Control panel -> Printers -> New -> TCP/IP). Note that printer driver Type 3 is required on printserver in order to work. Printserver is used only to deploy the printer, after that, affected machines are able to print independent on printserver (e.g. when switched off or unavailable).

  2. Reinstall the printer on printserver with Type 4 driver and continue in using User Configuration deployment (if Type 4 driver is available). I use printmanagement.msc console. How I did it? First, removed all the old drivers to the printer like so: enter image description here

Then plugged the printer in directly (not via our Repotec TCP/IP printserver box) via USB and let MS Windows install the drivers themselves - it installed the "Class" driver, Type 4:

enter image description here

IMPORTANT! Registry hacks like RestrictDriverInstallationToAdministrators are NOT needed, as well as Point and Print Group Policies and Package Point and Print Group Policies - not needed either, if you had them ever applied, follow the Microsoft's official mitigation guide. Also, if you had removed the update KB5005033 as a workaround, install it and get protected.

Good luck!

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.