Windows Security Update - Not allowing computers to print

14 views
Skip to first unread message

Stephen Devlin

unread,
Nov 15, 2021, 5:08:02 PM11/15/21
to CESI-list
Hi all,

I would appreciate some advice on how to solve the problem with the new windows security update stopping our follow me printing service.

I am at a loss as to implementing the details outlined below and was hoping someone here might be able to advise me as I have tried numerous avenues to no avail.

Deleting the update works but once its reinstalled the same issue occurs and obviously there's pitfalls to not installing updates.

See details below: (sorry it's a long one)

The September 14th 2021 Monthly Rollup update KB5005613 included part of security update KB5005076 (released August 10, 2021) which changes the default privilege requirement for installing drivers when using Point and Print, which is causing headache for IT administrators with end users being prompted

“printer driver needed”  requiring administrator credentials to complete task or users trying to add new printer.

 

Microsoft released security update KB5005076 to address vulnerability within the Windows Print Spooler (CVE-2021-34481), the security update KB5005652 from August 10th 2021 changes the default privilege requirement for installing drivers when using Point and Print, after installing this update, you must have administrative privileges to install drivers.

 

By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

 

• Install new printers using drivers on a remote computer or server

 

• Update existing printer drivers using drivers from remote computer or server  

 

It is possible to change to a registry key value to disable behaviour but note this makes system vulnerable to CVE-2021-34481 and not recommend by Microsoft, below link to mention registry key

 

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

 

We have reports of some customers having success deploying the printer mappings through Group Policy but instead of targeting typically users config they target the computer config and printer seems to install running under system account without prompt for elevated account credentials input.

 

Also seen reports where existing printer mappings users are prompted to update driver and prompted for elevated account credentials where the server does not have patch KB5005652 but client PC does or vice versa, as in theory if users PC already has driver installed it should not prompt to update driver but have also seen case where both server and client PC had patch and still prompted.

 

Microsoft line on this change is now to install print drivers when the new default setting is enforced users must use one of the following methods to install printers:

 

  • Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.

 

  • Include the necessary printer drivers in the OS image.

 

  • Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.

 

  • Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers

 

Below some links on further reading about topic

 

https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/

Power

unread,
Nov 16, 2021, 1:00:34 AM11/16/21
to CESI-list
The only feasible options appear to be to temporaility use the Set RestrictDriverInstallationToAdministrators=0 hack and have everyone connect to the printer then set it back again. For microsoft to suggest a sysadmin go around putting in credentials when someone wants to print is laugable. 

Another option I see people use is to set up the printers for direct printing with the IP instead of using a print server. 

A third option is to set up something like papercut (the education licence is reasonable) and use the web print  / Mobility print option which does not require drivers. This also opens up BYOD Chromebook / Ipad printing possiblities. 

Realistically Microsoft will have to come up with something to fix this as it is a massive headache for business. 

Stephen Devlin

unread,
Nov 16, 2021, 3:15:10 AM11/16/21
to CESI-list
Thanks for the response.

The only feasible options appear to be to temporaility use the Set RestrictDriverInstallationToAdministrators=0 hack and have everyone connect to the printer then set it back again. For microsoft to suggest a sysadmin go around putting in credentials when someone wants to print is laugable. 

How do I initiate the above? I couldnt get it to work last week for me. I assume I do this on the server. 

Could another option be to make everyone an administrator. 

This is such an unbelievable headache and yes it would take an age to go to every machine individually and even when I do it still doesn't seem to work.

Stephen

Greg Ashe

unread,
Nov 16, 2021, 4:58:07 AM11/16/21
to cesi...@googlegroups.com
I suggest that you do NOT elevate users to administrators - you run the risk of creating even greater headaches and nightmares

Gregory Ashe
IT Manager



--
--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com
To unsubscribe from this group, send email to cesi-list+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/cesi-list/9d1dcb74-5f18-4bc0-a802-2d18124b1cf8n%40googlegroups.com.


NB Disclaimer Important: ​
Information in this email (including attachments) is confidential. It is intended for receipt and consideration only by the intended recipient. If you are not an addressee or intended recipient, any use, dissemination, distribution, disclosure, publication or copying of information contained in this email is strictly prohibited. Opinions expressed in this email may be personal to the author and are not necessarily the opinions of Glenstal Abbey or Glenstal Abbey School. If this email has been received by you in error we would be grateful if you could immediately notify the sender, and thereafter delete this e-mail from your system.  

You are requested to carry out your own virus check before opening any attachment. The author, as well as Glenstal Abbey and Glenstal Abbey School, accept no liability for any loss or damage which may be caused by viruses, malware or malicious software.

Glenstal Abbey is a Registered Charity CHY 4001
Glenstal Abbey School is a Registered Charity CHY 21385


Please consider the environment before printing this email.​

Power

unread,
Nov 22, 2021, 1:02:41 AM11/22/21
to CESI-list
That key does not elevate users to admin, it allows non admin users to install drivers. You can set it back afterwards. 
Reply all
Reply to author
Forward
0 new messages