Allow Non-administrators to Install Printer Drivers via GPO

By default, non-admin domain users do not have permission to install the printer drivers on the domain computers. To install a driver, the user should have local admin privileges (must be a member of the local Administrators group). This is great from the point of security because the installation of an incorrect or fake device driver could compromise the PC or degrade the system performance. However, this approach is extremely inconvenient in terms of the IT department, because it requires Support-team intervention when a user tries to install a new printer driver.

You can allow non-administrator users to install printer drivers on their Windows 10 computers (without the need to grant local Admin permissions) using Active Directory Group Policies.

Configure GPO to Allow Non-Administrators to Install Printer Drivers

At first, create a new (or edit an existing) GPO object (policy) and link it to the OU (AD container), which contains the computers on which is necessary to allow users to install printer drivers (use the gpmc.msc snap-in to manage domain GPOs). You can implement the same settings on a standalone (non-domain) computer using the Local Group Policy Editor (gpedit.msc).

Expand the following branch in the Group Policy editor: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers.

Set the policy value to Disable. This policy allows non-administrators to install printer drivers when connecting a shared network printer (the printer’s driver downloaded from the print-server host). Then you can set the policy value to Disable, any unprivileged user can install a printer driver as a part of a shared printer connection to a computer. However, this policy does not allow downloading and installing an untrusted (not-signed) printer driver.

allow users to install printer drivers

Adding Printer Device GUIDs Allowed to Install via GPO

The next step is to allow the user to install the printer drivers via GPO. In this case, we are interested in the policy Allow non-administrators to install drivers for these device setup classes in the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation.

Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:

  • Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
  • Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.

You can find a full list of the device class GUIDs in Windows here.

When you enable this policy, members of the local Users group can install a new device driver for any device that matches the specified device classes.

Note. You can enable this policy through the registry using the command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f

You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.

Now save the policy.

allow non-administrators to install drivers for these device setup classes

Configuring Point and Print Restrictions Policy

In Windows 10 there is another feature related to the UAC (User Account Control) settings, which occurs when you try to install a shared network printer. If the UAC is enabled, a message appears in which you want to specify the credentials of the Administrator. If UAC is disabled, then when you try to install the printer under the non-admin user—the system hangs for some time and finally displays an error message: “Windows cannot connect to the printer. Access is denied“.

restrict driver installation to administrators gpo

To solve this problem, you need to disable the policy Point and Print Restrictions. This policy is located under the Computer and User Configuration section of the GPO editor. In order to enable compatibility with previous versions of the Windows operating system, it is recommended to disable both policies. They are located in the following sections:

  • Computer Configuration > Policies > Administrative Templates > Printers;
  • User Configuration > Policies > Administrative Templates > Control Panel > Printers.

Then you should disable this policy for Windows 10 computers, the security warnings, and elevated prompts do not appear when the user tries to install the network printer or when the printer driver is updating.

gpo allow printer driver install

Note. You can disable Point and Print Restrictions via the registry. Use the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f

If you want to restrict the list of print servers from which users are allowed to install print drivers without admin permissions, you need to set the Point and Print Restriction policy to Enabled.

Then enable the option “Users can only point and print to these servers”. In the “Enter fully qualified server names separated by semicolons” specify a list of your trusted print servers (FQDN).

Under the “Security Prompts” section select the “Don’t show warning or elevation prompt” for the policy parameters “Then installing drivers for a new connection” and “Then updating drivers for an existing connection”.

gpo install printer without admin rights

Test the Policy to Allow Users to Install Printer Drivers

It remains to test the policy on client computers (requires restart). After rebooting and applying Group Policy settings, users will be allowed to install printer drivers without Admin permissions.

Tip. After installing the update KB3170455, released on July 12, 2016, in order to successfully install the printer, the printer driver must meet the following requirements:

  • The driver must be signed by a trusted digital signature;

  • The driver must be packed (Package-aware print drivers). Installing of the unpacked (non-package-aware) drivers through Point and Print Restrictions is impossible.

This means then when you try to install the non-package-aware v3, you will see the warning “Do you trust this printer?” with the Install driver UAC button, which requires printer drivers installation under the admin account.

allow non admins to install printers

You can check your driver type on the print server under the node Print Management > Print Servers > Server Name > Drivers. For package-aware print drivers, you can see the True value in the Packaged column.

gpo allow users to install printers

Unable to Deploy Printer Drivers After August 2021 Updates

In August 2021 (2021-08-10), Microsoft released a security update for Windows 10 (KB5005033) that made significant changes to the printer installation policy. After installing these and the latest security updates, Windows begins to require administrator permissions to install printer drivers. This change addresses the PrintNightmare vulnerability and is related to Windows Print Spooler issues.

Hint. The PrintNightmare RCE vulnerability is described in CVE-2021-1675 and CVE-2021-34527. A flaw in the Windows Print Spooler implementation allows an attacker to remotely execute arbitrary code on a Windows computer. The vulnerability allows a malicious DLL file to be loaded into the system. Trying to add a printer again allows access to this file, which will run with System privileges.

Print Spooler service works on Windows (including server versions) by default. The greatest danger is posed by an attack on servers, so Microsoft has issued recommendations for disabling the printing system on domain controllers (Security assessment: Domain controllers with Print spooler service available).

On computers with update KB5005033, when installing a printer, users receive a UAC window:

Do you trust this printer?

Windows needs to download and install a software driver from the \\computer to xxx. Proceed only if you trust the computer and network.

allow non-administrators to install printer drivers

After clicking on the Install driver button, a UAC window appears in which you need to specify the administrator credentials.

Microsoft recommends using Group Policy to install printers on users’ computers. But this only works for v4 Package-aware print drivers. When installing any v3 driver, a UAC window appears asking for an administrator password.

If you cannot update all drivers to v4, there is one workaround. On all problem computers, it is necessary to install the parameter RestrictDriverInstallationToAdministrators =0 in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\.

The easiest way to deploy this registry parameter to computers is through Group Policy

Create a new registry parameter under the GPO section Computer Configuration > Preferences > Windows Settings > Registry.

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • Value name: RestrictDriverInstallationToAdministrators
  • Value type: REG_DWORD
  • Value data: 0

group policy install printer driver without admin rights

This registry key will allow users to connect to any printer.

This is a workaround, not a fix, because it makes your print servers vulnerable (!!!!).

Therefore, you additionally need to configure the Point and Print Restriction policy (described above). Add trusted print servers in the “Users can only point and print to these servers” section.

Additionally, set:

  • When installing drivers for a new connection: Do not show warning or elevated prompt;
  • When upgrading drivers for an existing connection: Show warning only.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

15 comments

  1. In our environment, we only have like 3 models of printers, used by 1,000 users.
    Would it just make sense to push out drivers for these few model printers to *everyone*, then users can point-and-print to add a printer, but since the *driver* would have been pre-loaded, they won’t get a UAC print?

    If so, suggestions on how?
    This seems like the best of both worlds – security (only our trusted drivers) + convenience (users can pick which printers they need and install them on their own, without UAC)

  2. I was hoping your article would help with August 10, 2021—KB5005033, but it doesn’t. My users can’t install print drivers without admin credentials.

      1. we had the same problem and turns out adjusting the printer driver from false to true in the Packaged column solved the issue for us.

  3. Those who do want to make the registry change can open a Command Prompt window with elevated permissions and enter the following:

    reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

    1. I have tried the Registry Edit and it works but no amount of farting around with the different registry policies worked. Maybe I’m missing the correct ADMX but I just couldn’t get it to go. In the end I made a “create” registry in group policy and pushed that out.

      HKEY_LOCAL_MACHINE
      SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
      RestrictDriverInstallationToAdministrators
      REG_DWORD
      00000000
      Hexadecimal

  4. What is the difference between the following two methods?
    – setting it via the group policy `Microsoft Endpoint > Administrative Template > Printers > Point and Print Restrictions`
    – setting the registry value for `RestrictDriverInstallationToAdministrators` manually

    Because we have rolled out it to all compuers in the tenant and we noticed that it worked for some devices in combination with some printers and it didn’t work for other devices which were using a different printer.

  5. out of all the fixes mentioned, only the last one states it will circumvent the security for the Printnightmare issue. Will all the fixes above compromise the clients as well or is it just the “RestrictDriverInstallationToAdministrators” DWORD change that gives exposure?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.