0

Regarding https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

I inadvertently overwrote the main print driver on our print server and wasn't aware of Microsoft's update on 8/10/21 force requiring admin rights for print driver installs. I see running the built-in cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs will allow me to update the driver however our Sophos policy blocks running cscript for our users. Powershell cannot update drivers without first removing all printers using the driver and then removing the old driver. pnputil doesn't want to work with the Fiery driver I need to install. The printers are deployed via GPO and the driver is packaged.

I'm going to use the less vulnerable registry "hack" from MS to get my users printing again but there has to be a better solution for updating print drivers remotely post KB5005652.

naps1saps
  • 177
  • 3
  • 13
  • `better solution for updating print drivers remotely`. Not sure about better, but I'm not aware of any solutions other than in the referenced documentation. – Greg Askew Aug 13 '21 at 20:08
  • Is there a way to remotely execute the driver update mechanism as admin? – naps1saps Aug 13 '21 at 21:09

1 Answers1

0

I ended up adding the registry change to GPO to force it for all computers and then configured GPO to only allow point and print to our print server following the instructions at the above KB titled Permit users to only connect to specific print servers that you trust.

This basically reverts back to the legacy behavior. I'll leave marking this as the answer for a while to see if someone has a better option.

naps1saps
  • 177
  • 3
  • 13