By default, non-admin domain users do not have permission to install the printer drivers on the domain computers. To install a driver, the user should have local admin privileges (must be a member of the local Administrators group). This is great from the point of security because the installation of an incorrect or fake device driver could compromise the PC or degrade the system’s performance. However, this approach is extremely inconvenient in terms of the IT department, because it requires Support-team intervention when a user tries to install a new printer driver.
You can allow non-administrator users to install printer drivers on their Windows 10 computers (without the need to grant local Admin permissions) using Active Directory Group Policies.
Use Package-aware Print Drivers on Print Server
Note that users will only be able to install a printer driver that meets the following requirements:
- The driver must be signed by a trusted digital signature;
- The driver must be packed (Package-aware print drivers). Installing the unpacked (non-package-aware) drivers through Point and Print Restrictions is impossible.
This means then when you try to install the non-package-aware v3, you will see the warning “Do you trust this printer?” with the Install driver UAC button, which requires printer drivers installation under the admin account.
You can check your driver type on the print server under the node Print Management > Print Servers > Server Name > Drivers. For package-aware print drivers, you can see the True value in the Packaged column.
Allow Non-Admin Users to Install Printer Drivers using Group Policy
First, create a new (or edit an existing) GPO object (policy) and link it to the Active Directory OU (AD container), which contains the computers which is necessary to allow users to install printer drivers (use the gpmc.msc snap-in to manage domain GPOs). You can implement the same settings on a standalone (non-domain) computer using the Local Group Policy Editor (gpedit.msc).
Expand the following branch in the Group Policy editor: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers.
Set the policy value to Disable. This policy allows non-administrators to install printer drivers when connecting a shared network printer (the printer’s driver is downloaded from the print-server host). Then you can set the policy value to Disable, any unprivileged user can install a printer driver as a part of a shared printer connection to a computer. However, this policy does not allow downloading and installing an untrusted (not-signed) printer driver.
Adding Printer Class GUIDs Allowed to Install via GPO
The next step is to allow the user to install the printer drivers via GPO. In this case, we are interested in the policy Allow non-administrators to install drivers for these device setup classes in the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation.
Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:
- Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
- Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.
You can find a full list of the device class GUIDs in Windows here.
When you enable this policy, members of the local Users group can install a new device driver for any device that matches the specified device classes.
Note. You can enable this policy through the registry using the command:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f
You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.
Now save the policy.
Configuring Point and Print Restrictions Policy
In Windows 10 there is another feature related to the UAC (User Account Control) settings, which occurs when you try to install a shared network printer. If the UAC is enabled, a Printer driver software installation message appears in which you want to specify admin user credentials.
If UAC disabled, then when you try to install the printer under the non-admin user—the system hangs for some time and finally displays an error message: “Windows cannot connect to the printer. Access is denied“.
To solve this problem, you need to configure the Point and Print Restrictions policy. This policy is located under the Computer and User Configuration section of the GPO editor:
- Computer Configuration > Policies > Administrative Templates > Printers;
- User Configuration > Policies > Administrative Templates > Control Panel > Printers.
Then you need to restrict the list of print servers from which users are allowed to install print drivers without admin permissions. Find and enable the Point and Print Restriction GPO option. On figure the following options:
- Enable the option “Users can only point and print to these servers”. In the “Enter fully qualified server names separated by semicolons” specify a list of your trusted print servers (FQDN). Non-admin users will be able to connect shared network printers themselves and install drivers only from this list of print servers.
- Under the “Security Prompts” section select the “Don’t show warning or elevation prompt” for the policy parameters “Then installing drivers for a new connection” and “Then updating drivers for an existing connection”.
Save your changes and edit the Package Point and print > Approved servers policy.
- Change the policy state to Enabled;
- Click the Show and add your trusted print server FQDNs.
Apply your Group Policy on client computers (requires restart). After rebooting and updating GPO settings using gpupdate command, users will be allowed to install printer drivers without Admin permissions.
Configuring Point and Print Policy After Nightmare Fixes
Microsoft changed the default behavior when installing printers on Windows in August 2021. Windows OS now always requires the elevation of privilege to the Administrator to install or update new drivers from a remote print server. This change addresses the PrintNightmare vulnerability and is related to Windows Print Spooler issues.
Hint. The PrintNightmare RCE vulnerability is described in CVE-2021-1675, CVE-2021-34527, and CVE-2021-34481. A flaw in the Windows Print Spooler implementation allows an attacker to remotely execute arbitrary code on a Windows computer. The vulnerability allows a malicious DLL file to be loaded into the system. Trying to add a printer again allows access to this file, which will run with System privileges.
Currently, non-admin users cannot install printer drivers in Windows even after configuring the Point and Print GPO. Microsoft now requires device drivers to always be installed under an account with administrative privileges.
On computers with update KB5005652 (or more recent cumulative security update), when installing a printer, users receive a UAC window:
Do you trust this printer?
Windows needs to download and install a software driver from the \\computer to xxx. Proceed only if you trust the computer and network.
After clicking on the Install driver button, a UAC window appears in which you need to specify the administrator credentials.
You can workaround this requirement by deploying the printer to a domain machine using the Group Policy Preferences (check this guide on how to deploy printer via GPO). This will work for v4 Package-aware print drivers.
Another (not recommended due to security risks) way to bypass new requirements is to disable the GPO option Limit print driver installation to Administrator under Computer Configuration > Administrative Templates > Printers. This policy can be used after installing Windows updates released October 12, 2021 or later.
This policy sets the RestrictDriverInstallationToAdministrators registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ to 0.
On a standalone computer, you can create this registry entry with the command (must be run from an elevated command prompt):
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
Also, you can deploy this registry parameter to computers is through Group Policy
Create a new registry parameter under the GPO section Computer Configuration > Preferences > Windows Settings > Registry.
- Action: Replace
- Hive: HKEY_LOCAL_MACHINE
- Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- Value name: RestrictDriverInstallationToAdministrators
- Value type: REG_DWORD
- Value data: 0
Once this option is set, your users will be able to connect network printers and install print drivers from trusted print servers.
Important note! However, be very careful when using a value of zero (0) for the RestrictDriverInstallationToAdministrators parameter, as this makes your Windows vulnerable. We recommend you to set this option temporarily while you allow users to install the printer. After installing the printer, it is desirable to return the default value of one (1). in this registry key.
20 comments
Thank you a lot, guy!
In our environment, we only have like 3 models of printers, used by 1,000 users.
Would it just make sense to push out drivers for these few model printers to *everyone*, then users can point-and-print to add a printer, but since the *driver* would have been pre-loaded, they won’t get a UAC print?
If so, suggestions on how?
This seems like the best of both worlds – security (only our trusted drivers) + convenience (users can pick which printers they need and install them on their own, without UAC)
I agree that pushing out all of the drivers first would be ideal, but I am not sure how to best do that.
Great article. Thank you for helping me years later. Did not know about Package-aware print drivers.
Hello,
Does this still work with the new the August Patch release for windows 10?
Thanks,
Aj
I was hoping your article would help with August 10, 2021—KB5005033, but it doesn’t. My users can’t install print drivers without admin credentials.
Same here. Is there any solution for this?
we had the same problem and turns out adjusting the printer driver from false to true in the Packaged column solved the issue for us.
Those who do want to make the registry change can open a Command Prompt window with elevated permissions and enter the following:
reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
For those of us stuck after CVE-2021-34481 — has anyone tried following MS’s instructions? They didn’t work for me. I’m still stuck going around to every computer and manually downloading drivers.
https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
I have tried the Registry Edit and it works but no amount of farting around with the different registry policies worked. Maybe I’m missing the correct ADMX but I just couldn’t get it to go. In the end I made a “create” registry in group policy and pushed that out.
HKEY_LOCAL_MACHINE
SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators
REG_DWORD
00000000
Hexadecimal
What is the difference between the following two methods?
– setting it via the group policy `Microsoft Endpoint > Administrative Template > Printers > Point and Print Restrictions`
– setting the registry value for `RestrictDriverInstallationToAdministrators` manually
Because we have rolled out it to all compuers in the tenant and we noticed that it worked for some devices in combination with some printers and it didn’t work for other devices which were using a different printer.
out of all the fixes mentioned, only the last one states it will circumvent the security for the Printnightmare issue. Will all the fixes above compromise the clients as well or is it just the “RestrictDriverInstallationToAdministrators” DWORD change that gives exposure?
The “Do not show warning or elevation prompt” is not an option in my GPO. I only have “Show warning only” and “Show warning and elevation prompt”. I have updated my ADMX files.
Since I do not want the warning, am I obligated to use the reg key to change RestrictDriverInstallationToAdministrators to 0 ?
This worked for me. Here is my situation. We have some unsigned print drivers due to modifying with the canon driver modification utility. Had they not been modified, i would have just pushed them out. But scripting unsigned drivers doesn’t seem to work. So i got this to work with 1) The restrictdriverinstallationtoadministrators to 0, 2) restrict point and print to my print servers, 3) restrict package point and print to my print servers, and 4) disabling the security option to prevent users from installing print drivers, and finally 5) adding those driver classes as described.
Did all of this and still having issues deploying shared printers with GPO.
After all this getting nothing but 0x800704ec errors in event viewer after updating the GPO on the client machine.
As of 5-3-2022 no go; prompting “do you trust” and then asking for admin creds…regardless of GPO and verified regedit keys as explained…
Hi, good article!
Only with this reg add command via GPO (Computer side), i think to solve:
Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value name: RestrictDriverInstallationToAdministrators
Value type: REG_DWORD
Value data: 0
BUT, now i updated a printer driver on print server and user cannot instal driver update because they are prompted to use user with admin rights.
There is a solution? User can install printer if they never logged in on pc, if they have a previous login on pc, when try to print, they are prompted to update driver with admin rights.
thanks
The solution is works for us but printer restriction is not working properly. Users can install the printer from the printer server which is not defined in restriction settings.
Please advise.
Thanks muchly.
Helped me solve print sharing this morning as a matter of urgency.
Only issue is there are so many steps to follow. I had to repeat the steps 3 times for 3 different printers, despite them all being Canon MFC’s and using the same driver. I was creating the GPO’s from the Printer Management console and did not see a way to select multiple printers. I’m mainly a Linux admin so I could have missed something somewhere – be gentle.!
Cheers,
ak.