As a fix for the Print Nightmare, I've disabled the need for administrator privileges to install print drivers (this is working). This is effectively the same as exposing oneself to the Print Nightmare exploit. Which is why I want to "whitelist" certain print servers, in order to partly mitigate the exploit.
To do this, I have tried enabling the GPO:
"Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions".
This GPO is configured as such:
Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons: test.[DOMAIN].int
Users can only point and print to machines in their forest: Disabled
Security Prompts:
- When installing drivers for a new connection: Do not show warning or elevation prompt
- When updating drivers for an existing connection: Do not show warning or elevation prompt
But the problem is that my clients are still able to print to our print server, although it does not have the FQDN test.[DOMAIN].int. So I'm not convinced that the way I've set up the test-GPO is actually whitelisting anything, thereby leaving us exposed to the Print Nightmare exploit.
I also tried enabling the GPO "Package Point and Print - Approved server" with test.[DOMAIN].int, to no avail.
I need help with understanding what I need to do differently in order to get whitelisting to work.
I've been following this MS article on the subject: KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)