My Print Drama

One of the fundamentals of the modern managed platform is to have as much admin-less on the client systems as possible.

I recently stumbled across the statement: […] You need to be a local admin when installing your on-prem network printer […] (or similar).

It is terrible, but the entire truth. You need to have admin privileges to install non-standard drivers. I am trying to destroy the statement and allow users to install their printers required without struggle as they usually did for many years from on-prem – I am not aiming to create a solution such as Follow Me Print Conecpt or to modernize the print management subject.

The problem is not the printer; the problem is the non-standard driver required for the printer. A non-standard driver is not by default in the driver store of the system. So as long as a network printer uses available drivers from the local driver store, you are lucky – no issues connecting to a printer hosted by a print-server – more explanation about the store further down.

If you are privileged to be a local admin on a system, you will not have the issue (but many others). You are an admin and can install drivers and printers as you wish.

Worth considerating in the entire print drama are locally connected printers through USB. Once a connection to those printers is established, the drivers of the mentioned driver store are used. If no matching drivers are available, Windows will reach out to Windows Updates as a source to locate a suitable driver.

Approach to a Solution

Microsoft is providing a way to install print drivers for standard users with just a few properties in the registry… Is that a good way? No! Have you heard about PrintNightmare? You don’t need it again! It means you must find the right balance between an adequate security level and support business continuity. You require a solution for allowing non-admin users to install print drivers from sources you control (print-server).

Attention: Do not allow standard users to install print drivers without whitelisting the print-severs. Continue reading to not open for Printnighmare vulnerability.

Let’s get down the road with the information of KB5005652; you can allow installing print drivers for non-admin; next is to restrict the print-server by safe listing it. Microsoft also has registry properties made available to achieve it. It will help if you do this for ‘Point and Print’ and ‘Package Point and Print’.

So you change the above to look like this for ‘Point and Print’:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
"Restricted"=dword:00000001
"TrustedServers"=dword:00000001
"ServerList"="server01.my.local;server02.my.local"
"InForest"=dword:00000000
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:0000000 

Also, you want to cover ‘Package Point and Print’:

"PackagePointAndPrintServerList"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
"server01.my.local"="server01.my.local"
"server02.my.local"="server02.my.local"

The key ‘RestrictDriverInstallationToAdministrators’ does apply to ‘Point and Print’ as well as to ‘Package Point and Print’.

KB5005652 has a critical statement and a consideration worth for you: […] The following mitigations can help secure all environments, but especially if you must set RestrictDriverInstallationToAdministrators to 0. These mitigations do not completely address the vulnerabilities in CVE-2021-34481. […].

Print Driver Model

You wonder what the difference is between’Point and Print’ and ‘Package Point and Print’.

You have the ‘Point and Print,’ which refers to Type 3 of the driver model. Whereby Type 4 is the ‘Package Point and Print’ driver model, refinement of the previous existing Type 3. If you want to check what driver type, use ‘Print Management’ (you can open it via printmanagement.msc quickly). Go to your printer overview in the console and look for the ‘Driver Type’ column at the end. Print drivers using the Type 4 driver model are package-aware drivers and can (not essential) utilize the preloaded driver named ‘Microsoft enhanced Point and Print’ from the driver store. That makes it possible for a standard user to install the printer using the staged driver. Staging to the driver store requires sufficient privileges, as it is a trusted store. However, not all drivers and printers take preloaded drivers. Hence, it will not rule them all, so individual vendor drivers are required for installation.

References

Anthony provided the most significant help and kick-start for the entire subject with the articles about Printnighmare. I strongly recommend reading the post from Anthony. They are great! He is also covering a hardening part in his first article.

• Part 1: https://anthonyfontanez.com/index.php/2021/08/12/printnightmare-point-and-print/
• Part 2: https://anthonyfontanez.com/index.php/2021/08/16/printnightmare-point-and-print-part-ii/

Final State

Let’s go ahead and apply the setting to our Cloud-Only systems. You should use a standard way to make it easy to manage and reusable. My preferred method is to use a combination of Configuration Profile with simple Script (or Remediation). Yes, Script 😃, because you do not need detection nor monitoring – you want to have the setting out in the way: take it or leave it.

The Configuration Profile should look like the following:

As you may have realized, you are missing an essential part in the Configuration Profile – you do not have the ‘RestrictDriverInstallationToAdministrators’ configured. I could not find it within the Settings Catalog or any other type of Configuration Profile; a Script will push the setting to the systems.

It is a one-liner only to apply the key:

New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -Name 'RestrictDriverInstallationToAdministrators' -PropertyType DWORD -Value 0 -Force -ErrorAction:SilentlyContinue

Worth saying is the setting ‘Allow Print Spooler accept client conenctions’; It is part of the Configuration Profile above. It was a hardening idea from Anthony. You maybe have different requirements.

Customizing permissions for drivers might compromise security and operational stability; while I don’t generally recommend it, there could be scenarios where flexibility is required,.

That’s it.

⚛️