Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers. We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality. For more information, see Point and Print Default Behavior Change and CVE-2021-34481.
Default behavior: Setting this value to 1 or if the key is not defined or not present, will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print.
Driver update registration key
Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server. Some administrators might set the value to 0 to allow non-admins to install and update drivers after adding additional restrictions, including adding a policy setting that constrains where drivers can be installed from.
Note Updates released July 6, 2021 or later have a default of 0 (disabled) until the installation of updates released August 10, 2021 or later. Updates released August 10, 2021 or later have a default of 1 (enabled).
Note After installing updates released September 21, 2021 or later, you can configure this group policy with a period or dot (.) delimited IP addresses interchangeably with fully qualified host names.
A1:Being prompted for every print job is not expected. The majority of environments or devices that experience this issue will be resolved by installing updates released October 12, 2021 or later. These updates address an issue related to print servers and print clients not being in the same time zone.
If you are still having this issue after installing updates released October 12, 2021 or later, you might need to contact your printer manufacturer for updated drivers. This issue might also occur when a print driver on the print client and the print server use the same filename, but the server has a newer version of the driver file. When the print client connects to the print server, it finds a newer driver file and is prompted to update the drivers on the print client. However, the file in the package it is offered for installation does not include the newer driver file version.
To mitigate this issue, verify that you are using the latest drivers for all your printing devices. Where possible, use the same version of the print driver on the print client and print server. If updating drivers in your environment does not resolve the issue, please contact support for your printer manufacturer (OEM).
A2: Before installing updates released September 14, 2021 or later on print servers, print clients must have installed updates released January 12, 2021 or later. Windows devices will not print if they have not installed an update released January 12, 2021 or later.
Note You do not need to install earlier updates and can install any update after January 12, 2021 on printing clients. We recommend that you install the latest cumulative update on both clients and servers.
By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the DeferFeatureUpdatesPeriodinDays value.
For example, a device on the General Availability Channel with DeferFeatureUpdatesPeriodinDays=30 will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
You can check the date that feature updates were paused by checking the registry key PausedFeatureDate under HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings.
The local group policy editor (GPEdit.msc) will not reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key PausedFeatureStatus under HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings for the following values:
Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the DeferQualityUpdatesPeriodinDays value.
You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again.
You can check the date that quality updates were paused by checking the registry key PausedQualityDate under HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings.
The local group policy editor (GPEdit.msc) will not reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key PausedQualityStatus under HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings for the following values:
Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
Note Before installing the July 2021 Out-of-band and later Windows updates containing protections for CVE-2021-34527, the printer operators' security group could install both signed and unsigned printer drivers on a printer server. Starting with the July 2021 Out-of-band update, administrator credentials will be required to install signed and unsigned printer drivers on a printer server. Optionally, to override all Point and Print Restrictions Group policy settings and ensure that only administrators can install printer drivers on a print server, configure the RestrictDriverInstallationToAdministrators registry value to 1.
We recommend that you immediately install the latest Windows updates released on or after July 6, 2021 on all supported Windows client and server operating systems, starting with devices that currently host the print spooler service. Next, set the "When installing drivers for a new connection" and "When updating drivers for an existing connection" in the Point and Print Restrictions Group Policy setting to "Show warning and elevation prompt".
Do the fixes for CVE-2021-34527 impact the default Point and Print driver installation scenario for a client device that is connecting to and installing a print driver for a shared network printer? 2ff7e9595c
Comments