New Microsoft Point and Print Restrictions

[Anonymous]

As some of you are already aware Microsoft’s 8/10/2021 patches change the way the Point and Print feature works. This change is an attempt to mitigate the PrintNightmare vulnerability.

The changes disallows users from installing or updating printer drivers. The school district I work for has ~500 Win10 PCs. I really don’t want to have to touch each of the ~500 PCs.

I hope BatchPatch can assist? Does anybody have suggestions.

Thank you for your time in advance.

[doug]

If you want to continue to allow non-admin users to install printer drivers, then you can use a registry value to revert the behavior to how it was before the August update. However, this is probably not a great idea to permanently revert.

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

But a reasonable option might be to only allow users to install printers if they contact you first. Then when they call you, you can temporarily modify the registry value to enable them to do the printer installation. When complete, you can then undo the registry change.

Another option would be to give all users a local admin account that they are allowed to use only for elevation, such as in cases where they need to install a printer driver.

Another option is to simply make sure you get your printer drivers all included in the image that you deploy to new computers.

[Anonymous]

Thanks for the reply doug.

I have seen the registry key but agree it isn’t a good idea to permanently revert.

I was really hoping a script expert would have a way of doing this that could then be pushed out with elevated admin credentials via BatchPatch.

For now having a disable registry key and a enable registry key on a network share will help.

PS. I am new to BatchPatch and loving what it can do. I suspect I am only scratching the surface of the software’s capabilities. I look forward to digging into the software further!

[doug]

You can make registry changes easily with BatchPatch. You don’t need to write an elaborate script. You can just use the Windows ‘REG ADD’ command in a BatchPatch remote command:

https://batchpatch.com/an-alternate-way-to-deploy-a-registry-value-to-remote-computers

Other methods:
https://batchpatch.com/deploy-registry-keys-to-multiple-computers-using-batchpatch

https://batchpatch.com/remote-registry-updates-with-batchpatch

[Anonymous]

Thanks for the links doug. I will dig into those.

As we discussed earlier I am not looking to modify the registry to keep us vulnerable.

I am more looking for a way that I can use BatchPatch to run on machine OUs using elevated credentials to allow the use of the drivers already installed on the client PCs.

The standard users don’t have access to the print drivers after this update and it is keeping them from printing. We are having to manually “update driver” on all of the client machines. Sadly the driver hasn’t even changes on nearly all of the machines. What a mess.

[doug]

Sorry I misunderstood. I thought you were saying you wanted to temporarily modify the registry value so that the printers could be installed/updated, and then set the reg value back.

Depending on how your printers are setup, you should generally be able to execute a single command and the command prompt of a target computer to perform the installation. Some quick googling will reveal which command to use in your environment. Once you have figured out which command does what you need and works successfully to perform the installation manually at the command prompt of a given computer, you can then easily port that to run remotely from BatchPatch either in a BatchPatch remote command or in a .cmd file that you then deploy to each target using the BatchPatch deployment feature.

[Author]

Posts