question

DavidYorkshire-8836 avatar image
0 Votes"
DavidYorkshire-8836 asked MDFARMANALIBarcodetechnology-1085 answered

Printer Drivers

We have a central print server which manages most of our printers, including at remote offices - the remote offices are small and the users who work in them do all their work on Server 2019 terminal servers (which are hosted in the same location as the print server). If a user goes to a remote office they don't normally use, they can just install the appropriate printer driver on their terminal server session. Likewise, if a user from a remote office logs into a domain W10 machine in the head office, they can install the driver for a printer there. All worked fine up until now, and only one place to keep drivers up to date and set printing defaults.

Unfortunately, Microsoft's attempt to fix the PrintNightmare bug (https://www.theregister.com/2021/08/11/printnightmare_mitigation/) seems to have utterly broken it.

Now, it's only possible to install a printer driver if actually logged in with an admin account. If it's a non admin account, and the user searches for a printer (using either the settings app or control panel), it find the printer on the print server, then a UAC prompt appears. This would be a pain to manage even if it worked as a screen share would be needed with an admin, but actually it doesn't work - even if valid admin credentials are entered, it still fails to install:
122467-image.png

Both W10 and Server 2019 do exactly the same. Anyone got any suggestions? Installing local copies of the print driver on every machine is not a viable solution, nor is giving the users local admin rights (especially where the terminal servers are concerned).

Thanks


windows-10-generalwindows-server-print
image.png (5.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We ended up going around in circles on this, until we found a work around.

  1. Head to Control Panel, View Devices and Printers

  2. Add a printer

  3. Select "The printer that I want isn't listed"

  4. Click the radio button for "Select a shared printer by name"

  5. In the field add in your network location (if the printers are visible on the network you'll see it once you populate the [\\printerserver]

  6. You'll still need admin to approve the add, but you should not see the same error (which solved it for us)


1 Vote 1 ·

Thanks! Just tried that and it does work.

Microsoft really has made a complete mess of this situation.

0 Votes 0 ·
DavidYorkshire-8836 avatar image
0 Votes"
DavidYorkshire-8836 answered

Just to add that I have also tried launching control panel using control printers from an elevated command prompt. Also tried going to c:\windows\system32\print.exe, right-click and run as administrator. Neither works - when adding a printer the problem described above still occurs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SSengupta-4080 avatar image
0 Votes"
SSengupta-4080 answered

You may try running the in-built Printer troubleshooter. To launch it , copy and paste this following command in the Run menu:

msdt.exe /id PrinterDiagnostic

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidYorkshire-8836 avatar image
0 Votes"
DavidYorkshire-8836 answered

The printer troubleshooter doesn't find anything.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jameselees-0450 avatar image
0 Votes"
jameselees-0450 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidYorkshire-8836 avatar image
0 Votes"
DavidYorkshire-8836 answered

I have seen that and tried it. The GPOs the on their own make no difference - still get the above error even after entering admin credentials Adding the registry key with a value of zero does work, but that then basically re-creates the security hole so I am very reluctant to deploy this.

The comment in the KB "If you must use the registry value of 0 in your environment, we recommend using it temporarily while you adjust your environment to allow Windows devices to use the value of one (1)" is exceptionally unhelpful as it gives no indication as to what we are supposed to do to allow Windows devices to use the value of one - Microsoft seems to be basically trying to offload responsibility for dealing with their serious flaw onto their customers.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @DavidYorkshire-8836,


In fact recently we had the PrintNightmare bug, but we've released along with engineering a documentation that can better help this scenario you're facing, it's actually an extra update and a suggestion to change the registry to fix the bug. To check both, just access the link below:

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b- 6d8e9a302872

If the answer was helpful, please don't forget to vote up or accept as an answer, thanks.

Graciously,
Samuel

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MDFARMANALIBarcodetechnology-1085 avatar image
0 Votes"
MDFARMANALIBarcodetechnology-1085 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.