Since the Print Nightmare updates last year (2021), a lot has changed in the distribution of printers. This has to do with the fact that Microsoft has introduced additional protection mechanisms for prevention. To ensure that the distribution and installation of drivers via the print server works again, you can "quite easily" set a registry key via Intune or GPO. But ATTENTION, with this a large part of the gap is open again. But if you know how, you can deploy the "Point and Print" policies with the right settings and Intune.
More information about the exploit: CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability
Table of Contents
- Allow ALL - RestrictDriverInstallationToAdministrators
- Point and Print Restriction
- Device Installation Restrictions
Allow ALL - RestrictDriverInstallationToAdministrators
With disabling the installation of drivers only by administrators, the connection works again. But then again, the security gap that made Print Nightmare big is open again. That's why all the steps below are necessary (even if everything works after setting this key).
| Key | Path | Value | Type |
|---|---|---|---|
| RestrictDriverInstallationToAdministrators | HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | 0 | DWord |
To distribute this registry key, you must upload a PowerShell script in Intune under:
Devices > Windows > PowerShell scripts"
I have put the prepared script on GitHub for you:
Here is an example of the distribution:
Point and Print Restriction
To tighten up security again, we're removing users' right to perform installs for all unknown servers and non-printer drivers.
For this we create a new configuration policy (Settings catalog):
Devices> Windows> Configuration profiles
We give this a meaningful name, for example "WIN Printer Restrictions".
In the Intune policy you now add the "Point and Print Restrictions". The quickest way to find this is to use the search field.
When making your selection, make sure that the results show "Device" and not "User". Because user settings can be overwritten by any user.
In the settings you now activate the "Point and Print Restrictions" and configure it according to the screenshot below.
"yourprintserver.domain.com" you replace with the FQDN of your print server(s).
For multiple servers: yourprintserver-1.domain.com;yourprintserver-2.domain.com
Device Installation Restrictions
In addition to the restrictions created above, we also define which class of drivers may be installed.
To do this, either in the same policy or in a new policy, add the subcategory "Allow installation of devices using drivers that match these device setup classes" under "Device Installation Restrictions" and activate it.
In the "Allowed classes" you now add the printer drivers:
- {4658ee7e-f050-11d1-b6bd-00c04fa372a7}
- {4d36e979-e325-11ce-bfc1-08002be10318}
- {1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
All classes: System-Defined Device Setup Classes Available to Vendors - Windows drivers | Microsoft Learn
Finally, you assign the guideline(s) to a group and save it.
Do you want to distribute one or more shared printers with Intune?
Then I have an article for you here: Shared printers with Intune | scloud
By the way, you can also find these printer guidelines, which I have described here for Intune, in the classic GPOs.
Hello thank you for your solution I want to do that for a local printer WhatsApp is thé configuration in intune
Hi Omar, what exactly do you mean?
Just a local printer? If so I suggest Nicklas's tool: https://www.rockenroll.tech/2023/03/14/rock-my-printers/