question

ManuelHumbertoGaldamezBarrientos-9129 avatar image
13 Votes"
ManuelHumbertoGaldamezBarrientos-9129 asked Mi4c-4072 commented

Print server and Print Nightmare update

Hi All,

I'm having issues with some Print Servers after running Windows Updates and installed

2021-08 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5005030)

After the update installation I'm getting the error "Connect to printer Windows cannot connect to the printer. Operation failed with error 0x0000011b" and the printer fails to install.

Is there any workaround to keep Print Severs up and running?

I cannot permanently remove the August update, because the Print Nightmare update will come again in Sept Cummulative Update.

I also tried to revert the configurations using:
“Allow Print Spooler to accept client connections” policy
HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.

Nothing worked. I will appreciate any advice.

Thanks,

Manuel

windows-server-print
· 51
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This just hit us this morning too. 9/15/2021. No one can print to the network printers.
I removed KB5005613 from our server and rebooted the server and that fixed it. Had to do that at all 8 of our branch offices too.
Microsoft updates seem to be more like hackers. Not professional.

9 Votes 9 ·

We had same problem, just affecting to Windows 7 computers. After uninstalling 15/09/2021 updates
(KB5005613, KB5005627 y KB5005563) and a long reboot, computers were able to print again.

6 Votes 6 ·

We did the same thing, on our PRINTER Server, and it works.

2 Votes 2 ·
Show more comments
Baronduke-9697 avatar image Baronduke-9697 JavierPoloCozar-7884 ·

thank you for help . in my case it was necessary to restart the second server which was on 2016. Windows should not launch a security update for our security.

2 Votes 2 ·
steviefaux avatar image steviefaux JavierPoloCozar-7884 ·

Just removed those 3 on our server and now all working.

0 Votes 0 ·

Some of the KBs you removed are cumulative. Printing may have been restored but so was the PrintNightmare problem and other vulnerabilities.

1 Vote 1 ·

Good point, however availability is part of the security triangle. Hopefully M$ will issue a new KB that patches the vulnerability as well as lets users print.

0 Votes 0 ·
38330931 avatar image 38330931 MikePrice-2508 ·

Same issue. Removed that update, and all devices were able to print after the server was rebooted.

0 Votes 0 ·
Kazim-2121 avatar image Kazim-2121 MikePrice-2508 ·

Currently experiencing this same issue 09/22/2021. Where a Windows Server 2012 R2 Standard can't add/connect to shared printers. "Connect to Printer Windows cannot connect to the printer. Operation failed with error 0x0000011b"

I don't have any of these KB updates mentioned installed, so basically, I can’t use the uninstallation method which seems to be working for everyone. How do I go about fixing this issue if I don’t have these KB installed already?

NB: There are pending updates which include KB5005613

0 Votes 0 ·
Mech-6321 avatar image Mech-6321 Kazim-2121 ·

I don't have any of these updates installed on my Server 2019 either tried all suggestions so far nothing

0 Votes 0 ·
Show more comments

My 2k8R2 RDS servers could not connect to my 2k12 Std Print server. I removed KB5005623 from my 2k12 printer server and things came back on line.

2021-09 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems (KB5005623)

Installation date: ‎2021-‎09-‎26 13:46

Installation status: Succeeded

Update type: Important

A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

More information:
https://support.microsoft.com/help/5005623

Help and Support:
https://support.microsoft.com/help/5005623

0 Votes 0 ·

I've got a good one Microsoft may not actually be devising a fix for this but...
Got the above error with a twist. We don't use PointandPrint... All our (I say "all" when things are running smoothly) printers are published using GPO's to targeted computers, not users. Every computer is named in such a way we can identify groups of computers based on location, department and OS. When a new computer is joined to the domain, the computer is added to several groups. One of the groups they are added to are used for multiple policies. The policies are designed to publish as few as one to as many as a dozen printers to that computer. So there's no user interaction when installing a printer. RestrictDriverInstallationToAdministrators - 0 is being used on a case by case basis for people who absolutely must print to keep our business running. Corporate is going to be some pissed with the AD guy because he can't get printers to deploy any more. Not a fun place to be. Never have I seen something like this before. Oh, there's been inconveniences but never a total blockage. I spun up a new 2019 server and started building V4 ONLY queues with still no joy. This is the crap suicides are made of.

4 Votes 4 ·

Today, 16 September 2021, I got the same problem, cannot print to printer on the server. Fortunately, I read this article and then I can assume what was happen to me, is caused by BAD Windows update. Then, I check Updates history, and find one update installed on 15 September 2021 (Security updates KB5005565). So, I uninstall it, and reboot. And, YES, the printer works normally, ... God Bless Us.. Alhamdulillah, Amiin

4 Votes 4 ·

I Can CONFIRM we had the same Problem and nothing would work , even our Tec couldn't figure it out so i got on this Forum and YES The Above answer Solved our Prob , Deleted the Security updates KB5005565 and restarted and bingo , Printer can connect again..

Thanks

2 Votes 2 ·

Uninstalling KB5005565 may work but this is a cumulative update. i may be wrong but you still have the PrinterNightmare issue. Just trading off risk/problem.

1 Vote 1 ·

What do you think is better, to have the inability to print within your organization, or continue to have PrintNightmare vulnerability? It's not a trade-off at all. Businesses need to print to continue their operations. Obviously Microsoft needs to fix the problem properly. You need to uninstall September 2021 cumulative update on all print servers to get them working again.

2 Votes 2 ·

It is also hepled me too! Thnaks!

0 Votes 0 ·

The correct way to fix this may lie in following this flowchart to ensure that remote exploitation of PrintNightmare is not possible while allowing Point and Print
I will update this later with any progress I find in this. If you can, please do not set RestrictDriverInstallationToAdministrators to 0 as this will make you vulnerable.

-thank you

133726-383432-printnightmare-flowchart-v9.png


2 Votes 2 ·

One more note, I would say you should add the RPC changes to this as well.

https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

And

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1678

This is what I primarily mention above and what seems to have triggered an influx of complaints.

1 Vote 1 ·

Awesome, I am building up a guide for my org and will use this.

From what I see most people are getting servers updated then reporting the clients can't print. So they uninstall the servers updates and volia. I'm not fully sure of the clients being unable to print if the server is updated already as well. But the aforementioned issue appears to be the main culprit. This Sept update made an enforcement change on the Jan updates for the Auth protocol of the Print Spooler to the Server/Client relationship. So the value is being set from the default of 0 as non enforcement to 1 with the Sept updates. I haven't run into this problem directly but was following this thread due to the Admin install prompt issue which is unrelated to the Sept updates issue. The unfortunate situation here is Microsoft has poorly communicated the Print Nightmare fixes. But they have slowly updated their primary Point and Point document to detail the needed changes. They have yet to deal with the V3 GPO issue, although mentioned now doing a manual compare of the users driver files. Alas. I set the Auth protocol to 0 through GPO and updated my server. Then installed the latest updates on a client and server. No issues printing. I tested on a non updated client and no issues printing as well. This is due to me changing the enforcement level for the Auth change. I suspect when I change the Auth level back to 1 as Enforced per Microsoft then those client machines won't print because they are not up to date.

Soooooo confusing. Your flow chart is very helpful!

0 Votes 0 ·

Credit goes to Will Dormann twitter @wdormann for this flow chart, I'm just sharing it here.

1 Vote 1 ·

IIf you really want really answers for this issue:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Read also
https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-ch[…]e-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

After the later link enforcement with septermber updates all MAC-, Linux- and windows-clients printing ability was disabled.
When client tries to communicate unsufficient authentication method the server responsed access denied with unproper error message.
There might be a firewall configurations to prevent proper communications in environments where only 445/TCP is enabled, some organizations doesn't like to approve unintended high ports communications with TCP nor UDP.
MS has now triggered something that no-one was prepared to deal with and haven't shared enought documentation how to properly configure these services to communicate how they want them to communicate

.When only 445/TCP open, it is not enough ?
Should we open the high ports, is there any answer? which TCP or UDP to establish the correct communication?
IIn documentations of printing services there is ability to configure your print server to communicate only with 445/TCP, but this breaks now with the newest security update...
So you should enable high ports 49152-49158 tcp ???
Do we need to enable those documented udp ports also with 445 only enabled servers? that have the registry tweak to support non udp communications?

1 Vote 1 ·

I especially like the part about "If you find issues during testing, you must contact the vendor for the affected client or server software for an update or workaround before early 2022."

yeah just push these issues out to the manufacturers, that sounds like a good idea....

I have had issues here with Brother printers, however they are not as severe. Some application calls seem to work while others fail. Our issues appear to be related to our Azure Active Directory in some way, but I haven't gathered any evidence for this yet. I believe it is a permissions issue, as I've experienced no problems with administrator accounts.

1 Vote 1 ·
Show more comments
DanCampbell-8712 avatar image
0 Votes"
DanCampbell-8712 answered DanCampbell-8712 edited

Manuel,

We recently experienced this in our environment but have yet to pinpoint the update that might have caused this. Current fix for us is running the below command in elevated command prompt as administrator account on the impacted machine :

"reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f"

My assumption is that a Windows update changed the way that Windows is handling print jobs and is looking at the registry to see if this key exists. If it does not exist it will not allow non admin accounts to install the driver. If it does exist, it must be set to 0 and not 1 for non admins to install.

Let me know how it goes.

Dan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkK-7817 avatar image
3 Votes"
MarkK-7817 answered SenhorDolas-2197 commented

UPDATE #4: I have heard rumor that a fix is supposed to be released on Tuesday for this issue. I hope that is the case.

After the update, we were having an issue where long established installed printers al of a sudden said they needed driver updates. Nothing had changed printer-wise, only the installation of KB5005031 & KB5005033. Users were being prompted to install the driver update, and it looked like it was installing, but at the very end would fail with an error code of 0x0000011b or 0x00000bbb. Implementing the PointAndPrint workaround from Microsoft didn't fix the issue for us.

Found a solution on Reddit; BRAVO to who figured this out. This uses the registry setting that negates the patch, which allows Windows to update the printer drivers, and then flips the switch back to enable the new protection. We are not sure how the patch is going to affect us with new employees and new machines, but at least we can get people printing again.

This is the part of the fix that we used: (REQUIRED a REBOOT to fully work)

How do yall manage the issues presented with the latest PrintNightmare mitigation patch? (KB5005033) : sysadmin (reddit.com)

https://www.reddit.com/r/sysadmin/comments/p5ccov/how_do_yall_manage_the_issues_presented_with_the/

Here are the steps required to deploy printers and print drivers via GPO, while still following Microsoft's recommended practices.
Note that not all of these steps may be necessary, but these are the changes I made in our environment to get this working again. Feel free to correct me if I've made a mistake.
The Microsoft article is here
1. In your GPO navigate to User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0
2. In your GPO navigate to User > preferences > Control Panel > Scheduled Tasks > New Immediate task Windows 7 or later
Set the task to run as SYSTEM. Action = Start a program
program is cmd
Argument is
/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
===========
What this does is temporarily set the registry key to 0 to allow the printer drivers to be installed, then the immediate task runs immediately after GPOs are applied and sets the registry key back to 1. These settings align with Microsoft's support article that states:
If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers: Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.

UPDATE #1: We had a user that this didn't work for, but it did work for other users in the office. Not sure if maybe the switch flip was too fast for Windows to download the updated drivers. I say this because I used a more manual method to grant the admin level access. Made the user a member of the local Administrators group. Had user sign out and sign back in to make Admin level access active. Checked the printers to see if they were showing Needed Update or not. One was showing update but the other 4 were now showing as Ready. Within a few moments, that last printer showed as Ready. Removed user from Local Administrators group, and signed them out. That delay is why I wonder if maybe the above solution was to fast for this machine or maybe the network drop wiring or whatever.

UPDATE #2: This solution only works for printers already showing as installed in Windows. Not that I fully understand how printing works in Windows, but we have users that have been using printers for years and showed as a printer they could pick, but now the printer doesn't show installed. That requires a local admin level to install.

UPDATE #3: Had a user where we are using this GPO that had her printers go back to a a Need Update state. Ended up doing the make user local admin, login, issues fixes itself, remove from local admin, logout and log back in.

· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I did this step only:

1. In your GPO navigate to User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0

and it worked... I had to do gpupdate /force at user site and logout/login.
WinServer 2008R2

Thanks for your help!



0 Votes 0 ·

Is this update happening today/anytime soon?

0 Votes 0 ·

I wish I knew. Wondering the same thing myself. This was heard from a state IT worker, which has a much closer relationship with MS than I do. I'm hoping the rumor is true and something is coming.

0 Votes 0 ·

Seems not, by the time its fixed, most users machines will have been manually updated!

0 Votes 0 ·

"HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",

doesn't see, PointAndPrint on this reg, when trying to make GPO .


Any suggestions ?

0 Votes 0 ·
MarkK-7817 avatar image MarkK-7817 binodranabhat-2915 ·

You may have to create that key, it isn't a default key in the registry.

0 Votes 0 ·

Hi Mark,

Thank you for your reply. I created that and tested in my client machine. Glad that it worked.

Now, need to create GPO and deploy.

Need to create PointandPrint expandable hive first and then create a reg key and set the value...
Looks like GPO can't create this hive ?

Any suggestion/advice ?

Many thanks

0 Votes 0 ·
Show more comments

No sure when you wrote about an update coming out... was that yesterday or in Aug?
IDo you know if the update is out already?
I pulled the patch for this week, let's see what MS say...

0 Votes 0 ·
BillV-1922 avatar image
0 Votes"
BillV-1922 answered MarkK-7817 commented

I'm seeing this same behavior Mark, as are a lot of folks. With the patch installed I can't installed a printer from a print server even with local admin privileges via GUI or command line. I don't want to disable the protections provided by this patch but it's my only viable option at this point. I wonder if the users will be prompted for credentials more than once if you use the scheduled task workaround.

Microsoft, please provide a more workable solution to this vulnerability.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe that once the driver is installed the machine should be good to go. But the one of the things we have seen with these patches is inconsistencies in behavior. Why this Xerox printer but not the one next to it using the same printer driver.

Will have to wait an see what other issues start now that people can start to print again, or what happens when people start moving around to different computers. But they are working now, so one issue down - - waiting for the next.

We wonder if it has something to do with certificates on the printer, but that is just a thought we haven't looked in to.

0 Votes 0 ·

Hi everyone,

For our personal experience with over 11000 computers environment. Using a method where we don't do change the security enforced by 2021-08 patch (like HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators = 1) is random.

If we revise 4 options that Microsoft give:

  1. Provide administrator username and password when prompted -> This solution is just totally ridicul.

  2. Include drivers in Windows image / preinstall drivers on the computer -> Work at 60% of the time. Some driver react properly and the are no more prompting to be required at user logon (HP, Ricoh or native driver like Generic Text). But some drivers, even if they are already on the machine, ask to be reinstalled at each opening session time (Minolta and some Ricoh). It very random and trying different/newer drivers not seem to fix it.

  3. Use SCCM or Endpoint Manager to remotely install printer driver. -> It's exactly the same situation enumerated at point #2. This solution is working RANDOM depending of the driver/printer used.

  4. Temporarily set RestrictDriverInstallationToAdministrators to 0 and install printer drivers... Again "Temporarily" could be "Permenantly" due to issue where some drivers asking to be reinstalled at each reopenig session.

Finally, the only working solution is to use RestrictDriverInstallationToAdministrators to 0 "permanent". Then add a mitigation where you need to add another strategy to secure which printer servers are allowed.






0 Votes 0 ·

Hi,

is that the registry change to be done on the printer server ?

Please let me know, having same issue after KB5005033.

Many thanks.

Kind regards,
Binod

0 Votes 0 ·
Show more comments
frup-5580 avatar image
0 Votes"
frup-5580 answered frup-5580 edited

We had the problem too and could solve it. We had to use a combination of all mentioned solutions + some parts of: kb5005652



We had to create a GPO with:

  1. Reg-Key: "RestrictDriverInstallationToAdministrators" = 0

  2. Package Point and PrintApproved servers just list all your printservers (See KB5005652 at the End of the Article) and

  3. Point and Print Restrictions:

  • Users can only point and print to these servers (not checked)

  • Users can only point and print to machines in their forest (checked)

  • When installing drivers for a new connection: Show warning and elevation prompt

  • When updating drivers for an existing connection: Show warning and elevation prompt


I know the Part 3 does not really match to the other settings but it was just a quick and dirty solution. At the moment the users can print. Please Reply if you have any similar experience.

BTW: I really don't know if this breaks the PrinterNightmare fix. But our >3.000 customers hat to print again...

kind regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sunghan-5961 avatar image
0 Votes"
sunghan-5961 answered

I am not the only. lol.
I just screwed my print server, had to roll back the update. is the registry addition MS' official's?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GGCDNIT avatar image
0 Votes"
GGCDNIT answered GGCDNIT edited

For our personal experience with over 11000 computers environment. Using a method where we don't do change the security enforced by 2021-08 patch (like HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators = 1) is random.

If we revise 4 options that Microsoft give:

  1. Provide administrator username and password when prompted -> This solution is just totally ridicul.

  2. Include drivers in Windows image / preinstall drivers on the computer -> Work at 60% of the time. Some driver react properly and the are no more prompting to be required at user logon (HP, Ricoh or native driver like Generic Text). But some drivers, even if they are already on the machine, ask to be reinstalled at each opening session time (Minolta and some Ricoh). It very random and trying different/newer drivers not seem to fix it.

  3. Use SCCM or Endpoint Manager to remotely install printer driver. -> It's exactly the same situation enumerated at point #2. This solution is working RANDOM depending of the driver/printer used.

  4. Temporarily set RestrictDriverInstallationToAdministrators to 0 and install printer drivers... Again "Temporarily" could be "Permenantly" due to issue where some drivers asking to be reinstalled at each reopenig session.



Finally, the only working solution is to use RestrictDriverInstallationToAdministrators to 0 "permanent". Then add a mitigation where you need to add another strategy to secure which printer servers are allowed.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing your experience, we came to the same conclusion.
What I don't understand is, that we had a pretty safe option to limit Point and print connection to a defined list of print servers where we can control what printer drivers are provided. But now, after the August fix, connecting to one of these servers requires Admin rights for every new connection.
So I tried how it looks with "RestrictDriverInstallationToAdministrators = 0". But it looks like this setting overrules everything that we have set before. It lets clients connect to any unknown print servers, completely ignoring the 'Trusted Servers' list.
Looks like we have now just a choice for 'All or Nothing'.
Are there other options or policies to get the 'Trusted Servers' limitation back at least?

0 Votes 0 ·

I'll have to test again, but setting those policies and the RestrictDriver registry did prompt an error when connecting to another server. However, from what I can see setting the RestrictDriver will still allow non admins to install print drivers outside of print servers and that's the crux of the whole problem. Which is why they say none of these changes do the same effect as not allowing nom admins to install printers. These settings only piece meal against the problem. Microsoft needs to fix what has broken GPO deployments and installs alike with V3 drivers.

0 Votes 0 ·
GGCDNIT avatar image GGCDNIT Klownicle-9244 ·

Hi,

the answer: The "RestrictDriverInstallationToAdministrators = 0" need to be applied on target computers (clients).

To mitigate risk, what we did in our company was to add "RestrictDriverInstallationToAdministrators = 0" to all end users computers, then also create another strategy where we added all approved print servers (for packages and PointAndPrint restriction). This security limit the source where come from printers.

NOTE: Approved servers can be added with their FQDN name and using wildcard if you have a lot of print servers. But not allow wildcard for child domains or multiple domains.
Exemple:

PRINTSRV*.mydomain.com
PRN*.sub.mydomain.com
PRNSRV*.mydomain2.com
PC1.mydomain2.com

This work fine, don't break the printers deployment and limit the breach through approved servers as the source only (where we know they are in a safe network and patched.)

0 Votes 0 ·
sunghan-5961 avatar image
0 Votes"
sunghan-5961 answered RoadrunnerLI commented

Wow! Microsoft didn't release Out-of-Band update for 2021-08 yet and didn't include this issue in Known issue list. It's been 10 days.

https://support.microsoft.com/en-us/topic/august-10-2021-kb5005043-os-build-14393-4583-709d481e-b02a-4eb9-80d9-75c4b8170240

Always, install at least 2 month old updates.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Maye you misunderstood something: This behavior is not caused 'accidentally'. It is a security hardening and they DID include it in the KB description even with a link to an article that exactly describes what changed in regards of PointAndPrint services.
I agree with many of the comments above, what Microsoft provides with the August CU is more a quick and dirty workaround than a solution. But it's not an option to generally ignore vulnerabilities and postpone patching for 2 months. Note that the PointAndPrint vulnerability that we're talking about here has already been used to hack systems in the real world.

1 Vote 1 ·
RickoT-NOAA avatar image
0 Votes"
RickoT-NOAA answered RickoT-NOAA edited

Hey Folks,

I realize this is somewhat of an older thread, but I figured I'd chime in as I have YOUR ANSWERS!

We require setting the following keys to mitigate print nightmare

  • HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall = 0

  • HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings = 0

  • HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators = 1

We deploy our printers using the user side of GPO under User Configuration > Control Panel Settings > Printers

This, obviously, was not working once we made our print nightmare mitigation changes, HOWEVER, I discovered that acquiring Type 4 (V4) User Mode drivers and replacing the Type 3 (V3) drivers on the print server allows for devices to install printers once again wtih our existing GPO configuration and Print Nightmare mitigation in place!

I also added the print servers to the GPO for these 2 policy settings: (Not sure if these were necessary, but i did it anyway)
- Computer Configuration> Administrative Templates > Printers > Package Point and Print - Approved Servers
- Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions
- - Added print servers (semicolon separated) to the list of "Enter Fully Qualified Server Names Separated by semicolons" field.

Hope this helps all of you out there!

Thanks!
~Rick



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Surge-5679 avatar image
0 Votes"
Surge-5679 answered TheAlanMorris commented

RickoT, we've added type-4 drivers but still see issues. For example, we have a Ricoh printer, on the print server, with the Ricoh provided type-4 driver but the clients install the Microsoft default type-4 driver even though the Ricoh type-4 driver is available. We also have, on the print server, an HP M401dne installed with its provided HP type-4 driver. The client fails to install any driver even though the HP type-4 driver is available. We were able to get the M401dne to work using a universal driver. One last one, printers that have been working for months, started to prompt for admin credentials to install the driver but even after providing credentials, the driver will not install. Very painful.

Thus far the only thing consistent, is randomness. Microsoft's PrinterNightmare patch has basically deprecated the print manager.

The above printers are deployed per machine not per user.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Surge-5679
The reason Type 4 drivers mitigates the issue with Point and Print for print shares is that TYPE 4 drivers are NEVER, I will repeat this NEVER, downloaded from the print server. The design on the client is to use the Microsoft enhanced point and print driver.

This is the design change when Type 4 drivers were introduced.

If you wish to have the client use the same print driver as the one on the server, you will need to add the driver using the ones available on Windows Update https://www.catalog.update.microsoft.com/Home.aspx

You can use the Add Driver Wizard in Print Management Console to provide a list of drivers too. Click the Windows Update button.

Once the Windows Update driver is in use, the connection to the share is added using using the Microsoft enhanced point and print driver and the client spooler will spin off a thread to check WU for the driver in the background.

If you have blocked WU, then this call will fail and the Microsoft enhanced point and print driver will remain the driver used by the client.

By default admin rights is the new normal in Windows when installing print drivers or a shared printer.

Once more Type 4 drivers are never copied to the client system from the print server.

Thanks

0 Votes 0 ·
MarkK-7817 avatar image
0 Votes"
MarkK-7817 answered

"Thus far the only thing consistent, is randomness."

That is what I told my supervisors. The only consistent thing about this patch is its inconsistency.

I'm fearful the Microsoft solution is the only one provided.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.