question

DanHoffa-5449 avatar image
4 Votes"
DanHoffa-5449 asked GaryLongstaff-3209 edited

Windows failed to apply the Deployed Printer Connections settings.

I am experiencing an issue with Deployment of Printers from GPO. This just started last week after I replaced existing 2012r2 DC and 2012R2 Print Server with New 2019 DC and Print Server If a user had already gotten their printers from GPO they are present and work. If a user needs printers to load from GPO they will not. When we run gpupdate /force we get this "Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link."

All other GPOs are processing and working properly.

I have 4 other DCs (3 - 2012r2 and 1 -2019) and 3 other Print Servers (2 - 2012R2 and 1 - 2019) Workstations are all Win10 assorted flavors (1908 through 21H2)

Since I list all printers in the Directory. I can still install the printers manually from the Printer Servers through "Add Printer" and they install without issue even for none admin users.

Microsoft has really made a mess with this recent security update. Did they ever test this with GPO deployment of printers before dumping it out there?

Anyone else seeing this behavior? Has anyone fixed this behavior?

windows-server-2019windows-10-securitywindows-group-policywindows-server-2012windows-server-print
· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MatthewEvans-0982 avatar image MatthewEvans-0982 ·

I had the same issue as this but was able to resolve it by changing the way i mapped printers in GPO.
Initially i was getting this issue when tryng to map printers via the User GPO settings in; User Configuration - Policies - Windows Settings - Deployed Printers

However when i started mapping them using the User Configuration - Preferences - Control Panel Settings - Printers
They started to map every logon and i also didnt get the gp error "Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link."

Hope this helps

2 Votes 2 ·
MarcoGrapiglia-0997 avatar image MarcoGrapiglia-0997 MatthewEvans-0982 ·

Hi,
I had the same issue.
I temporarily set RestrictDriverInstallationToAdministrators to 0.

As said by you I've tried to use this GPO
User Configuration - Preferences - Control Panel Settings - Printers
but every time I access to my computer the printers start to map and lost default printer.

I can't set default printer via GPO because the same GPO is applied to all users in all offices.

There are any workarounds? I can't deploy printers to computer because there isn't GPO option to deploy shared Printers like in User Settings and my printers are installed in a print server that share them.

0 Votes 0 ·
DanHoffa-5449 avatar image DanHoffa-5449 ·

The stranger part is that this has caused Print Servers that have not had the updates to not deploy via GPO. Most recent print server I installed was 2019 and fully updated with 9/21 rollup. This is when My problem started and it was only that server at first. With in a few hours all my print servers stopped deploying printers from GPO. My other 3 print servers have not had the 9/21 update. 2 of them (1 - 2012R2 and 1 - 2019) have had the 8/21 update and 1 of them (1- 2012R2) has only had 7/21 update.

That single server having the 9/21 update broke all the rest in a few hours.

Microsoft needs to stop passing the buck and admit the screwed everyone that uses print servers and come up with a real fix for the issue.

0 Votes 0 ·
BISG-1081 avatar image BISG-1081 DanHoffa-5449 ·

I have updated server 2019 on 24/09/2021 after I had the first report of missing printers , so my issue appeared before 09/21 update.

Don't you think it may be more related to updates on the Windows 10 devices?

Some of my devices works fine - for sure the computers which I updated recently got this issue.
I will need to check computers which do not have this issue and check when those been updated.

0 Votes 0 ·
DanHoffa-5449 avatar image DanHoffa-5449 BISG-1081 ·

I don't believe it has to do with the Workstations. I have workstations that haven't been updated in a year that printer deployment via GPO now does work. It doesn't seem to matter if it is 1908 that hasn't been updated in a year or if it is 21h2 that is fully updated.

0 Votes 0 ·
JonHall-1077 avatar image JonHall-1077 ·

I came across this yesterday after moving printers to a new server after the original took a nose dive. Some users were able to get the new connections with just a gpupdate, some required log off/on or reboot, others refused to work at all. GPResult showed the same as others - there was an error and to click More Information, a link which doesn't seem to exist. I changed those GPOs to deploy via Control Panel instead, which I'd really rather not do. Hopefully they get it resolved soon!

0 Votes 0 ·
BuddyTrujilloCMSA-3279 avatar image BuddyTrujilloCMSA-3279 ·

Did you ever find anything that works for you? I am still fighting this issue.

0 Votes 0 ·

17 Answers

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered DanHoffa-5449 commented

Hello @DanHoffa-5449,

Thank you for your question.

Based on the description of your problem, I recommend that you take a look at the topic below, which has a problem similar to yours and may help you fix the problem:

https://social.technet.microsoft.com/Forums/office/en-US/05d09795-db48-42b6-95fa-2788125eef79/windows-failed-to-apply-the-deployed-printer-connection?forum=winserverDS



If the answer is helpful, please vote positively and accept as an answer.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanHoffa-5449 avatar image DanHoffa-5449 ·

Thank you for the response.

Article does nothing for me. Already been through the gambit of fixes already. The problem really appears to rest in the permissions realm. All my admins get every printer from GPO even now. Normal users do not. They did before the security change. Registry entries have not worked. Rolling back updates is only good till the next rollup installs.

This is Microsoft screwed up. They broke Deployment of Printers via GPO for normal Domain Users.

What are we suppose to do now?

0 Votes 0 ·
AlexAlexander-1468 avatar image
0 Votes"
AlexAlexander-1468 answered AlexAlexander-1468 published

Yes, the same issue. Exact same.

When you use RSOP.msc all it says is "status failed" "Deployed Printer Connections failed due to the error listed below."


They've done something within the last 3 weeks.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MaciejRubin-4595 avatar image
0 Votes"
MaciejRubin-4595 answered

exactly the same problem in my environment.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BISG-1081 avatar image
0 Votes"
BISG-1081 answered BISG-1081 edited

Same issue with mine environment - however I have noticed that problem last week - it may appear only to users who are logging into the machine for the first time - gpupdate doesn't work for them.

Previously I had the issue with the drivers, where admin must install the new drivers, now missing printers...

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimHousand-6098 avatar image
0 Votes"
TimHousand-6098 answered DanHoffa-5449 commented

Had the same issue after renaming printers for a client. We were trying to push via user, and it wasn't working. We moved the printer to deploy by machine and moved it to the Computer OU, and got it to work.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanHoffa-5449 avatar image DanHoffa-5449 ·

I wish I could change to deployment by machine. Unfortunately I have 50+ printers (BW Lasers, Color Lasers, Wide format printers, label printers, and MFPs) across 4 locations and users are constantly moving around. I have some spoiled users that like having their printers no matter where they are in the company and if they don't you would think the world is coming to an end.

0 Votes 0 ·
ChuongHuynhNguyen-3355 avatar image
0 Votes"
ChuongHuynhNguyen-3355 answered DanHoffa-5449 commented

I am also facing the same error. Users with local admin rights run gpudpate successfully, normal users run gpupdate get an error "windows could not apply deployed printer...". Does anyone have a fix for this error? Please help me
136718-error-deployed.jpg



error-deployed.jpg (70.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanHoffa-5449 avatar image DanHoffa-5449 ·

I have not found anything posted anywhere that actually fixes the issue short of giving a user admin permissions or roll back updates. Here is one of the better discussions that I have found regarding the whole Print Nightmare security fix that created this whole mess to start with.
https://docs.microsoft.com/en-us/answers/questions/517533/pint-server-and-print-nightmare-update.html

I have tried just about everything discussed to try and remedy this issue but none of them have work for me so far.

1 Vote 1 ·
BISG-1081 avatar image
0 Votes"
BISG-1081 answered

I do fully agree - no solutions works.

I'm getting more reports from users about disappearing printers - yesterday they had printers, today they gone... I only assume that gp have updated automatically and couldn't redeploy printers, that's why they are gone.

I will try to switch gp per device rather than user and check if that will work as the temp solution - in that case it will be much easier than installing the printers manually.

Any chance we can give our users admin rights only for printers? Maybe that could sort out the problem.

Any help from MS?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JJ-4806 avatar image
0 Votes"
JJ-4806 answered BISG-1081 commented

So I ran into this issue as well recently and the only workaround I found was to set the user as a local admin on the machine they were using.

Once they were set as an administrator, ran GPUpdate /force, logged out and logged back in and all of the printers installed. Not a great solution, as it involved touching every machine but at least I can get it installed.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BISG-1081 avatar image BISG-1081 ·

It will be a problem when gp will update automatically than it will remove those printers.

I have tried that as well, it works as it should, but unfortunately I couldn't let users stay as administrators.

At this point I have redeployed printers as per machine - it does work. It's not ideal solution but does a job.

0 Votes 0 ·
ITGuy-7843 avatar image ITGuy-7843 ·

Reading this gave me a stress ulcer. Have you tried to deploy to the machine instead of the person?

0 Votes 0 ·
Show more comments
TGooT-2525 avatar image
0 Votes"
TGooT-2525 answered TGooT-2525 edited

A technician of us found the following solution to this:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

Adding the above registry key to the client seems to have solved the issue. The queue is deployed automatically and the error message when doing a gpupdate is gone.

Solutions found on:
https://www.computerworld.com/article/3630629/windows-print-nightmare-continues-enterprise.html

We are not sure about the security aspects of this solution. It may however be a better one than giving local admin rights.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanHoffa-5449 avatar image DanHoffa-5449 ·

Thanks for the response. I have been dealing with things other than this recently and have forgotten some of the details of things that I have read and tried.

Does this allow for Printer Deployment per User via GPO to process and load printer for the individual users?

Also if I am not mistaken doing this basically negates the Print Nightmare fix and opens you right back up to the same vulnerabilities.

0 Votes 0 ·
TGooT-2525 avatar image TGooT-2525 DanHoffa-5449 ·

Yes, it works per User. Don't know for sure but I think it doesn't.

As described in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 the vulnerability is not present if (after Updating of course):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) AND
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

We did not define any of them.

In https://docs.microsoft.com/en-us/answers/questions/517533/pint-server-and-print-nightmare-update.html there is an image posted by chmod771 which shows that the value "RestrictDriverInstallationToAdministrators" can be set without negating the fix if above values are not set or equal to 0.

Image: https://docs.microsoft.com/answers/storage/attachments/133726-383432-printnightmare-flowchart-v9.png

0 Votes 0 ·
RalfAzevedo-5486 avatar image
0 Votes"
RalfAzevedo-5486 answered TheAlanMorris commented

I started having similar problems a few weeks ago. Some users started asking for elevation to install the print server driver, something that didn't happen before. Other users from different OUs did not experience the problem.

I checked the GPOs and they are identical, the difference is the OR of each user. Printers have no security restriction, everyone can print to them.

RSOP fails 0x800702e4 in GPO deployment. I don't have the updates installed on the machines, I don't know what to do anymore. All printers are installed by machine and non-user permissions.

Anyone with any solution to help me?

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ITGuy-7843 avatar image ITGuy-7843 ·

My guess is that either the Print Server or the DC that these affected users received a recent patch that the others have not yet. I'd check there

0 Votes 0 ·
TheAlanMorris avatar image TheAlanMorris ·

this is the precise error
C:\>winerror 0x02e4
740 ERROR_ELEVATION_REQUIRED

The user needs to install the print software using the new default of administrator credentials.

0 Votes 0 ·