Summary
Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality. For more information, see Point and Print Default Behavior Change and CVE-2021-34481.
By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:
Install new printers using drivers on a remote computer or server
Update existing printer drivers using drivers from remote computer or server
Note If you are not using Point and Print, you should not be affected by this change and will be protected by default after installing updates released August 10, 2021 or later.
Important Printing clients in your environment must have an update released January 12, 2021 or later before installing updates release September 14, 2021. Please see Q2 in “Frequently asked questions” below for more information.
Modify the default driver installation behavior using a registry key
You can modify this default behavior using the registry key in the table below. However, be very careful when using a value of zero (0) because doing that makes devices vulnerable. If you must use the registry value of 0 in your environment, we recommend using it temporarily while you adjust your environment to allow Windows devices to use the value of one (1).
Registry location | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
DWord name | RestrictDriverInstallationToAdministrators |
Value data | Default behavior: Setting this value to 1 or if the key is not defined or not present, will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print. Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server. Some administrators might set the value to 0 to allow non-admins to install and update drivers after adding additional restrictions, including adding a policy setting that constrains where drivers can be installed from. Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1. Note Updates released July 6, 2021 or later have a default of 0 (disabled) until the installation of updates released August 10, 2021 or later. Updates released August 10, 2021 or later have a default of 1 (enabled). |
Restart requirements | No restart is required when creating or modifying this registry value. |
Note Windows updates will not set or change the registry key. You can set the registry key before or after installing updates released August 10, 2021 or later.
Automate the addition of RestrictDriverInstallationToAdministrators registry value
To automate the addition of the RestrictDriverInstallationToAdministrators registry value, follow these steps:
Open a Command Prompt window (cmd.exe) with elevated permissions.
Type the following command and then press Enter:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Set RestrictDriverInstallationToAdministrators using Group Policy
After installing updates released October 12, 2021 or later, you can also set RestrictDriverInstallationToAdministrators using a Group Policy, using the following instructions:
Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers.
Set the Limits print driver installation to Administrators setting to "Enabled". This will set the registry value of RestrictDriverInstallationToAdministrators to 1.
Install print drivers when the new default setting is enforced
If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers:
Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.
Include the necessary printer drivers in the OS image.
Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.
Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.
Note If you cannot install printer drivers, even with administrator privilege, you must disable the Only use Package Point and Print Group Policy.
Recommended settings and partial mitigations for environments that cannot use the default behavior
The following mitigations can help secure all environments, but especially if you must set RestrictDriverInstallationToAdministrators to 0. These mitigations do not completely address the vulnerabilities in CVE-2021-34481.
Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.
Verify that RpcAuthnLevelPrivacyEnabled is set to 1 or not defined
Verify that RpcAuthnLevelPrivacyEnabled is set to 1 or not defined as described in Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464).
Verify that Security Prompts are enabled for Point and Print
Verify that Security Prompts are enabled for Point and Print as described in KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Permit users to only connect to specific print servers that you trust
This policy, Point and Print Restrictions, applies to Point and Print printers using a non-package-aware driver on the server.
Use the following steps:
Open the Group Policy Management Console (GPMC).
In the GPMC console tree, go to the domain or organizational unit (OU) that stores the user accounts for which you want to modify printer driver security settings.
Right-click the appropriate domain or OU and click Create a GPO in this domain, and Link it here.Type a name for the new Group Policy Object (GPO) and then click OK.
Right-click the GPO that you created and then click Edit.
In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, and then click Printers.
Right-click Point and Print Restrictions, and then click Edit.
In the Point and Print Restrictions dialog, click Enabled.
Select the Users can only point and print to these servers checkbox if it is not already selected.
Enter the fully qualified server names. Separate each name by using a semicolon (;).
Note After installing updates released September 21, 2021 or later, you can configure this group policy with a period or dot (.) delimited IP addresses interchangeably with fully qualified host names.
In the When installing drivers for a new connection box, select Show warning and Elevated Prompt.
In the When updating drivers for an existing connection box, select Show warning and Elevated Prompt.
Click OK.
Permit users to only connect to specific Package Point and Print servers that you trust
This policy, Package Point and Print - Approved servers, will restrict the client behavior to only allow Point and Print connections to defined servers that use package-aware drivers.
Use the following steps:
On the domain controller, select Start, select Administrative Tools, and then select Group Policy Management. Alternatively, select Start, select Run, type GPMC.MSC, and then press Enter.
Expand the forest and then expand the domains.
Under your domain, select the OU where you want to create this policy.
Right-click the OU and then select Create a GPO in this domain, and link it here.
Give the GPO a name, and then select OK.
Right-click the newly created Group Policy Object and then select Edit to open the Group Policy Management Editor.
In the Group Policy Management Editor, expand the following folders:
Computer Configuration
Policies
Administrative Templates
Local Computer Polices
Printers
Enable Package Point and Print - Approved servers and select the Show... button.
Enter the fully qualified server names. Separate each name by using a semicolon (;).
Note After installing updates released September 21, 2021 or later, you can configure this group policy with a period or dot (.) delimited IP addresses interchangeably with fully qualified host names.
Frequently asked questions
Q1: Every time I attempt to print, I receive a prompt saying, "Do you trust this printer," and it requires administrator credentials to continue. Is this expected?
A1:Being prompted for every print job is not expected. The majority of environments or devices that experience this issue will be resolved by installing updates released October 12, 2021 or later. These updates address an issue related to print servers and print clients not being in the same time zone.
If you are still having this issue after installing updates released October 12, 2021 or later, you might need to contact your printer manufacturer for updated drivers. This issue might also occur when a print driver on the print client and the print server use the same filename, but the server has a newer version of the driver file. When the print client connects to the print server, it finds a newer driver file and is prompted to update the drivers on the print client. However, the file in the package it is offered for installation does not include the newer driver file version.
The files being compared are the drivers within the spool folder, usually in C:\Windows\System32\spool\drivers\x64\3 on both the print client and print server. The driver package being offered for installation will usually be in C:\Windows\System32\spool\drivers\x64\PCC on the print server. After the files in the \3 folder are compared between devices, if they do not match, the package in PCC is installed. If the files in the print server’s \3 folder are not from the same printer driver that PCC offers to the client, the print client will compare the files and find the mismatch every time it prints.
To mitigate this issue, verify that you are using the latest drivers for all your printing devices. Where possible, use the same version of the print driver on the print client and print server. If updating drivers in your environment does not resolve the issue, please contact support for your printer manufacturer (OEM).
Q2: I installed updates released September 14, 2021 and some Windows devices cannot print to network printers. Is there an order I need to install updates on print clients and print servers?
A2: Before installing updates released September 14, 2021 or later on print servers, print clients must have installed updates released January 12, 2021 or later. Windows devices will not print if they have not installed an update released January 12, 2021 or later.
Note You do not need to install earlier updates and can install any update after January 12, 2021 on printing clients. We recommend that you install the latest cumulative update on both clients and servers.