This past August Microsoft rolled out a series of updates that caused major printing problems for businesses. These problems were directly related to the Point and Print function. Now under this new update users will have to be promoted to administrators or else run into more problems. These problems include the inability to: Install new printers using drivers on a remote computer or server and update existing printer drivers using drivers from remote computer or server. Sadly, this is not where the problems end as well. Now, anyone with a V3 style of print drivers is being prompted to reinstall drivers or install new drivers. The reasoning for this is because the printers are being pushed out of the server via group policy and triggering reinstallation. Even when it’s on the workstation and not the server it is also triggering a reinstallation of the print drivers. This just becomes extremely annoying and inconvenient, under these updates printing with Microsoft is just a disaster.
This directly contradicts what Microsoft has been telling us for years now that running administrator rights was not a good idea and by keeping users without administrator rights this in turn would limit lateral movement. This new update now leaves the companies with only three options. The first one to give users local administrator rights, which create all sorts of problems with security. Another one is to create a registry key adjustment which would also weaken security. The last option is just a waiting game with the idea of rolling back the patch until Microsoft figures out what they did wrong and how to fix it. Beyond these options there is one more option you could do, and that would be open the command prompt window under elevated permissions and then enter the following:
reg add “HKEY_LOCAL_MACHINE\Software \Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f.
This is an option, but it is highly un-recommended by both Microsoft and the general public as this just further exposes your system to a lot of vulnerabilities.
Microsoft does know about this however and has even addressed it stating “the admin/install prompt for already-installed drivers and already-installed printers is unexpected behavior…. We have received new reports that this is also affecting customers where the drivers/printers, etc. are already installed and it is already under investigation, we do not have an estimated time of fix yet, but we are working on it.”. So, with no known time frame for when the fix will be out there, what does that leave companies who need to print to do?
- Review what servers and computers absolutely have to print. Clearly the foundational security issues with the print server code have yet to be fixed, and it doesn’t appear they will be fixed soon.
- Consider printing a specific right that you grant only to those in your network who truly need that right, instead of having the print spooler service automatically enabled throughout your network.
- Disable the service on all domain controllers and keep it that way until further notice.
- Limit the servers in your network that have print server roles.
- Try to limit the servers as best as you can so you can monitor and limit traffic to these machines.
- Disable the print server role on workstations unless they must print.
- Reevaluate your workflow and processes and see if there are ways to move such business flows to web-based processes or something that won’t depend on paper, toner, and printers.
In conclusion, Microsoft needs to be better as they have had too many printing problems over the years and do not understand that not all companies that use their products are moving to paperless as quick or even are quite ready for it as they are. Customers should not have to make a hard choice of whether they want to perform a registry tweak which would expose to the firm or remove the update in all just to function in their business. Contact ACME Business today to manage the impact and risk this update puts on your business before it has a negative impact!