Allow non-administrators to use GPO to install printer drivers. - Solution Views (2023)

Non-admin domain users are not allowed to install printer drivers on domain systems by default. A user with local admin capabilities should be able to install a driver (must be a member of the local Administrators group). This is beneficial from a security standpoint, since installing an improper or fake device driver could corrupt the PC or cause it to operate poorly. However, in terms of the IT department, this strategy is exceedingly cumbersome because it necessitates Support-team intervention whenever a user attempts to install a new printer driver.

Allow Non-Administrators to Install Printer Drivers configuring GPO

To begin, create a new (or change an existing) GPO object (policy) and link it to the OU (AD container) that contains the computers on which printer drivers must be installed (use the gpmc.msc snap-in to manage domain GPOs). The Local Group Policy Editor can be used on a standalone (non-domain) computer to apply the same settings (gpedit.msc)

In the Group Policy editor, expand the following branch: Security Settings > Local Policies > Security Options > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options Devices: Locate the policy Users should not be able to install printer drivers.

Set the value of the policy to Disable. When connecting a shared network printer (the printer’s driver obtained from the print-server host), this policy allows non-administrators to install printer drivers. The policy value can then be set to Disable, which means that any unprivileged user can install a printer driver as part of a shared printer connection to a machine. This policy, however, prohibits the download and installation of an untrusted (non-signed) printer driver.

Allowing Installation of Printer Device GUIDs via GPO

Allowing the user to install printer drivers via GPO is the next stage. In this scenario, the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation contains the policy Allow non-administrators to install drivers for these device setup classes.

Enable the policy and specify which device classes users are permitted to install. Click the Show button, and in the resulting window, type two lines with the device class GUIDs for printers:

• Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
• Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.

A complete list of Windows device class GUIDs may be found here.

Members of the local Users group can install a new device driver for any device that matches the given device classes when this policy is enabled.

Note that you can enable this policy in the registry using the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f

You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.

Save

Point and Print Restrictions Policy Configuration

When you try to install a shared network printer in Windows 10, an additional feature connected to the UAC (User Account Control) settings appears. If the User Account Control (UAC) is enabled, a notification appears asking you to provide the Administrator’s credentials. If UAC is turned off, and you try to install the printer as a non-admin user, the system lags for a while before displaying an error message that says “Windows cannot connect to the printer.” “Access is revoked.”

You must disable the policy Point and Print Restrictions to resolve this issue. This policy may be found in the GPO editor’s Computer and User Configuration area. It is advised that both policies be disabled in order to enable compatibility with older versions of the Windows operating system. They can be found in the sections below:

• Computer Configuration>Policies>Administrative Templates>Printers;
• User Configuration>Policies>Administrative Templates>Control Panel>Printers

The security warnings and elevated prompts do not appear when the user tries to install the network printer or while the printer driver is upgrading if you disable this policy for Windows 10 PCs.

Note. You can disable Point and Print Restrictions via the registry. Use the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f

Set the Point and Print Restriction policy to Enabled to limit the list of print servers from which users are allowed to install print drivers without admin permissions.

Then select “Users can only point and print to these servers” from the drop-down menu. Enter a list of your trusted print servers in the “Enter fully qualified server names separated by semicolons” field (FQDN).

Select “Don’t show warning or elevation prompt” for the policy parameters “Then installing drivers for a new connection” and “Then updating drivers for an existing connection” under the “Security Prompts” section.

Allowing Users to Install Printer Drivers is being tested.

The policy still needs to be tested on client machines (requires restart). Users will be able to install printer drivers without Admin permissions after rebooting and implementing Group Policy adjustments.

To successfully install the printer after installing the update KB3170455, which was released on July 12, 2016, the printer driver must match the following requirements:

A trusted digital signature must be used to sign the driver.

The driver must be well-prepared (Package-aware print drivers). It is unable to install unpacked (non-package-aware) drivers using Point and Print Restrictions.

This implies that if you try to install the non-package-aware v3, you’ll get the message “Do you trust this printer?” along with the Install driver UAC button, which requires you to install printer drivers as an administrator.

On the print server, go to Print Management > Print Servers > Server Name > Drivers to see what type of driver you have. In the Packaged column, you may see the True value for package-aware print drivers.

Printer Drivers Cannot Be Deployed After August 2021 Updates

Microsoft published a security update for Windows 10 (KB5005033) in August 2021 (2021-08-10) that made major modifications to the printer installation policy. Windows begins to require administrator access to install printer drivers after installing these and the newest security updates. This update resolves the PrintNightmare vulnerability, which is linked to vulnerabilities with Windows Print Spooler.

Microsoft published a security update for Windows 10 (KB5005033) in August 2021 (2021-08-10) that made major modifications to the printer installation policy. Windows begins to require administrator access to install printer drivers after installing these and the newest security updates. This update resolves the PrintNightmare vulnerability, which is linked to vulnerabilities with Windows Print Spooler.

CVE-2021-1675 and CVE-2021-34527 both describe the PrintNightmare RCE vulnerability. An attacker can remotely execute arbitrary code on a Windows PC by exploiting a fault in the Windows Print Spooler implementation. A malicious DLL file can be loaded into the system using this vulnerability. When you try to add a printer again, you’ll get access to this file, which runs with System privileges.

When installing a printer on a PC that has the update KB5005033 installed, a UAC popup appears:

Do you have trust in this printer?

From the computer to xxx, Windows must download and install a software driver. Proceed only if you have full trust in the computer and network.

When you click the Install driver button, a UAC box appears, prompting you to enter your administrator credentials.
To install printers on users’ computers, Microsoft suggests using Group Policy. However, this is only applicable to v4 Package-aware print drivers. A UAC popup occurs while installing any v3 driver, asking for an administrator password.
There is a workaround if you are unable to upgrade all drivers to version 4. Install the value RestrictDriverInstallationToAdministrators =0 in the registry entry HKEY LOCAL MACHINESOFTWAREPoliciesMicrosoftWindowsNTPrintersPointAndPrint on all problem PCs.

Group Policy is the simplest approach to distribute this registry parameter to computers.

Create a new registry parameter under the GPO sectionComputer Configuration>Preferences>Windows Settings>Registry.

• Action: Replace
• Hive: HKEY_LOCAL_MACHINE
• Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• Value name: RestrictDriverInstallationToAdministrators
• Value type: REG_DWORD
• Value data: 0

Users will be able to connect to any printer using this registry key.

Because it renders your print servers susceptible, this is a workaround rather than a repair.

As a result, you’ll also need to set up the Point and Print Restriction policy (described above). In the “Users can only point and print to these servers” section, add trusted print servers.

Set the following as well:

1. If you’re installing drivers for a new connection, don’t show any warnings or escalated prompts.
2. 2.Only provide a warning when upgrading drivers for an existing connection.