Unable to deploy printers via GPO User Configuration after Windows update KB5005033 got installed ("Do you trust this printer?" issue)

Solution 1

Microsoft published a summary of various solutions we can use to manage the new behavior.

Specifically:

Install print drivers when the new default setting is enforced

If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers:

• Provide an administrator username and password when prompted for credentials when attempting to install a printer driver.

• Include the necessary printer drivers in the OS image.

• Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install printer drivers.

• Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.

[...]
Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.
[...]

I recommend you to deploy the printer drivers to your computers, then, remove all deployed Point and Print Group Policies and Package Point and Print Group Policies, as they are not required anymore, and do not set the RestrictDriverInstallationToAdministrators registry value because this will allow a vulnerability on your clients/servers.

Don't forget that each Windows device where the Print Spooler is enabled is vulnerable if you set the RestrictDriverInstallationToAdministrators registry value to 0, it's not about the Print Servers only, clients computers and other Windows servers are impacted too!

Be aware that there is another vulnerability in the Print Spooler at the moment, patch is still pending: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

Disabling the Print Spooler wherever possible is a good rule of thumb...

Solution 2

I've found out two possible solutions, both of them do not provoke any UAC/admin rights prompt:

1. Switch to Computer Configuration deployment instead (CC -> Pr -> Control panel -> Printers -> New -> TCP/IP). Note that printer driver Type 3 is required on printserver in order to work. Printserver is used only to deploy the printer, after that, affected machines are able to print independent on printserver (e.g. when switched off or unavailable).

2. Reinstall the printer on printserver with Type 4 driver and continue in using User Configuration deployment (if Type 4 driver is available). I use printmanagement.msc console. How I did it? First, removed all the old drivers to the printer like so:

Then plugged the printer in directly (not via our Repotec TCP/IP printserver box) via USB and let MS Windows install the drivers themselves - it installed the "Class" driver, Type 4:

IMPORTANT! Registry hacks like RestrictDriverInstallationToAdministrators are NOT needed, as well as Point and Print Group Policies and Package Point and Print Group Policies - not needed either, if you had them ever applied, follow the Microsoft's official mitigation guide. Also, if you had removed the update KB5005033 as a workaround, install it and get protected.

Good luck!

Related videos on Youtube

02 : 32

How to deploy shared printers using GPO

TechCrafters

390

05 : 49

Windows 10 Update KB5005565 Causing Shared Printer Problem

Britec09

138

33 : 35

Step by Step: how to deploying printers with group policy windows server 2016 and 2019 - GPO - 2020

Neel Patel

23

10 : 24

Fix Software Deployment failed when using GPO | Group Policy Error deploying MSI software

KELVGLOBAL ICT

6

09 : 58

How-To Configure Network Printer and Deploy it via Group Policy Object (GPO)

IT Videos

2

Author by

crysman

Updated on September 18, 2022