Configuring Point and Print in a PrintNightmare World

Microsoft’s knowledge base article, KB5005652, details a change made with Windows updates released August 10, 2021 and later regarding the point and print technology’s default driver installation behavior. Previously, when using point and print, users that do not have local administrator privilege could install printer drivers, which would be automatically downloaded from the print server and installed on the user’s computer.

To mitigate the PrintNightmare vulnerabilities, the new default behavior is to deny users that do not have administrator privilege the ability to install printer drivers via point and print. This change causes a support problem in departments where print queues are mapped via Group Policy or made available for users to connect to from a share on the print server since IT administrators would have to implement a way to ensure the necessary drivers are installed on the computers they support.

Please note that this change has no effect on users that have local administrator privilege.

Limit users to point and print only to trusted servers

If your department needs to permit users to install printer drivers via point and print, it is strongly recommended that the Point and Print Restrictions group policy setting be configured to specify the servers that they are allowed to point and print to.

1. In the Group Policy Management Console, create a new Group Policy Object or edit an appropriate, existing GPO.
2. Navigate to Computer Configuration > Administrative Templates > Printers.
3. Double-click the Point and Print Restrictions setting.
4. Click the Enabled radio button.
5. Click the Users can only point and print to these servers checkbox.
6. Enter the FQDNs for your print servers, separated by a semicolon.
7. Change both security prompts options to Show warning and elevation prompt.
8. Click OK.

Allowing users without administrator privilege to use point and print to install and update printer drivers

A new DWord name, RestrictDriverInstallationToAdministrators, located at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint, set to a value of 1, blank, or not present will require administrative privilege to install a printer driver when using Point and Print.

To allow users that do not have administrative privileges to install and update printer drivers, create a Group Policy Object, linked to an appropriate OU, that adds the RestrictDriverInstallationToAdministrators DWord to the PointAndPrint registry key and sets its value to 0.

1. In the Group Policy Management Console, create a new Group Policy Object or edit an appropriate, existing GPO.
2. Navigate to Computer Configuration > Preferences > Windows Settings > Right-click on Registry > New > click Registry Item.
3. Copy Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint and paste it into the Key Path text field.
4. Copy RestrictDriverInstallationToAdministrators and paste it into the Value name text field.
5. Set Value type to REG_DWORD.
6. Enter 0 into the Value data text field.
7. Click OK.