Users being prompted to update print drivers when printing
Hey Experts. Windows 2016 print server with 150+ Windows 10 Enterprise pc's and 60 HP network printers all in an AD environment. Yesterday, no problems when users would print documents or pdf's but today, when they print, they are encountering this box:
I thought it was just one printer so I updated the drivers but then more tickets came in and as they were escalated, I knew it was more widespread. Selecting the "install driver" option gives the impression that it's doing something but the box quickly comes back up.
By default, users get their printers mapped via a login script and group membership. Users have no admin rights on the local pc.
Nothing, that I am aware of, changed overnight as I didn't push updates, no changes to GPO's or any sort of print server change. Something obviously caused this to start popping up and after restarting the print server and the desktops, and updating the print driver for the M506 which was the model of the initial ticket, I'm no closer to a cause or solution.
Any help would be greatly appreciated!
I thought it was just one printer so I updated the drivers but then more tickets came in and as they were escalated, I knew it was more widespread. Selecting the "install driver" option gives the impression that it's doing something but the box quickly comes back up.
By default, users get their printers mapped via a login script and group membership. Users have no admin rights on the local pc.
Nothing, that I am aware of, changed overnight as I didn't push updates, no changes to GPO's or any sort of print server change. Something obviously caused this to start popping up and after restarting the print server and the desktops, and updating the print driver for the M506 which was the model of the initial ticket, I'm no closer to a cause or solution.
Any help would be greatly appreciated!
Seth Simmons
are you sure updates weren't installed anywhere? the august update includes changes to print behaviour where admin rights are needed to install drivers
ASKER
I should have prefaced my comment about updates. When I initially looked into this, I saw that his pc was restarted after he left for the day. Checking the Windows update log, I see two updates that were installed.
I was really hoping that it wasn't update related as I didn't deploy/authorize any. You confirmed my suspicion and guess I need to go that route. Thank you.
If that is the case, what is the work-around as I'm not giving them local admin rights.
I was really hoping that it wasn't update related as I didn't deploy/authorize any. You confirmed my suspicion and guess I need to go that route. Thank you.
If that is the case, what is the work-around as I'm not giving them local admin rights.
I'd say uninstall for now. Just released yesterday so folks that have installed it are just starting to see the affects; no doubt there will be more questions (and likely complaints) like this in the coming days/weeks about this change (just starting to test august updates myself). Seem to be a double-edge sword - it (apparently) fixes print nightmare once and for all but at the same time causes this annoyance for users.
ASKER
Much appreciated. I'm checking through the patches that went out yesterday but can't narrow down which update it was. Do you happen to know the KB for the culprit?
ASKER
Confirm that it is KB5005033, please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Uninstalling 5005031 worked!! Always appreciate another set of eyes. Now I need to script this uninstall.
I wouldn't go that route.
We deploy printers via GPO to computer objects - the drivers are installed no matter if the user is non-admin.
So we don't have that problem although we already deployed that patch anywhere.
I guess the reason why you have it, is that you deploy the printers via GPO to user objects, could that be? You would just need to change that, then you may keep the patch.
By the way: "print nightmare" is a composition of several vulnerabilities. At least one of them remains unpatched so still non-admins may elevate their permissions to full system account powers at ease.
https://twitter.com/gentilkiwi/status/1425367298001543176/photo/1
https://twitter.com/gentilkiwi/status/1425154484167188480
We deploy printers via GPO to computer objects - the drivers are installed no matter if the user is non-admin.
So we don't have that problem although we already deployed that patch anywhere.
I guess the reason why you have it, is that you deploy the printers via GPO to user objects, could that be? You would just need to change that, then you may keep the patch.
By the way: "print nightmare" is a composition of several vulnerabilities. At least one of them remains unpatched so still non-admins may elevate their permissions to full system account powers at ease.
https://twitter.com/gentilkiwi/status/1425367298001543176/photo/1
https://twitter.com/gentilkiwi/status/1425154484167188480
ASKER
I wouldn't go that route. We deploy printers via GPO to computer objects - the drivers are installed no matter if the user is non-admin. So we don't have that problem although we already deployed that patch anywhere.
You wouldn't go which route? Via login script?
I do not think it's right to uninstall the patch. The reason for that prompt needs to be found. We don't get that prompt, for admin permissions. See how we deploy printers. See how you deploy printers and compare.
It's dangerous to be unpatched. Very possibly, Microsoft will not change this.
It's dangerous to be unpatched. Very possibly, Microsoft will not change this.
ASKER
@McKnife, I can appreciate that and am looking into ways to mitigate the impact the patch had on our office. Due to the size and function of this gov agency, being unable to get paperwork out wasn't an option but neither is being unnecessarily exposed to security risks. There is a balance and we are actively researching ways to proceed.
How do you deploy printer drivers? Or are they installed manually? That's all I ask.
ASKER
Via login script
So, as said, change that. Deploy to computers, not Users and all is well.
So either use a GPO that uses group policy preferences or native printer deployment. Both to be set in the computer config section of the GPO.
So either use a GPO that uses group policy preferences or native printer deployment. Both to be set in the computer config section of the GPO.
ASKER
Very helpful and provides good insight. I appreciate you taking the time to explore alternatives to the current method.
FWIW, we deploy via User Config > Preferences > Control Panel Settings > Printers.
which also seems to work, i.e. no users get prompts.
I haven't tried it so I wonder what would be the diff, i.e. deploy via Computer Config vs User Config? I'm guessing users can't change each printer's settings?
which also seems to work, i.e. no users get prompts.
I haven't tried it so I wonder what would be the diff, i.e. deploy via Computer Config vs User Config? I'm guessing users can't change each printer's settings?
> what would be the diff, i.e. deploy via Computer Config vs User Config?
Targeting users, the printer gets installed no matter which machine the user uses.
Targeting computers, it gets installed only on that computer, no matter which user uses this machine.
It used to be that the preference user section was executed with user permissions (and thus would have encountered the same error), but giving this second thought, this is no longer true, MS changed that, so it would work as well (as it does for you, NVIT :-) )
Targeting users, the printer gets installed no matter which machine the user uses.
Targeting computers, it gets installed only on that computer, no matter which user uses this machine.
It used to be that the preference user section was executed with user permissions (and thus would have encountered the same error), but giving this second thought, this is no longer true, MS changed that, so it would work as well (as it does for you, NVIT :-) )
This is not a bug, this is on purpose. Since now this is standard behavior. I am afraid you will have to deal with it another way than stopping Windows updates on all computers. That's a bad idea for security reasons. Anyway, you can work around it. See the Microsoft link below for instructions.
Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality.https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872