question

Viajaz avatar image
0 Votes"
Viajaz asked Viajaz answered

KB5005652 / CVE-2021-34481: RestrictDriverInstallationToAdministrators as 0 still overrides Point and Print Group Policy settings

KB5005652 - Manage new Point and Print default driver installation behavior (CVE-2021-34481) says:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
...
Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings.

I have tried a clean lab with Windows Server 2019 as domain controller and fully patched Windows 10 Enterprise 20H2 system and this does not appear to be the case. The existence of the RestrictDriverInstallationToAdministrators registry item appears to disable Point and Print Group Policy settings making the alternative mitigations "Permit users to only connect to specific print servers that you trust" and "Permit users to only connect to specific Package Point and Print servers that you trust" not possible.

Is this a bug or am I doing something wrong?




windows-group-policywindows-server-print
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Viajaz avatar image
0 Votes"
Viajaz answered

This was caused by a race condition between Windows components on start-up.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Viajaz commented

Hi there,

This article provides a solution to an issue where the Point and Print Restrictions policies are ignored when a standard user tries to install a network printer.
https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored


If the reply is helpful, please Upvote and Accept it as an answer

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Viajaz avatar image Viajaz ·

The Point and Print Restrictions Policies are already under Computer Configuration in the Group Policy Object used to deploy them.

0 Votes 0 ·