UPDATE 1: After further testing with AADJ devices, I’ve found that it seems to work as expected with Package Point and Print settings. Details below.
UPDATE 2: More Package Point and Print details
PrintNightmare, it’s the gift that keeps on giving. After lots of discussion in the WinAdmins community, I’m back with three additional items that I wanted to go over: the impact on Azure AD joined devices, Remote Desktop printer redirection, and V4 printer drivers.
Azure AD Joined (AADJ) Devices
After some discussion in the WinAdmins community, Johannes mentioned that he was seeing the Point and Print settings completely ignored. After a bit of troubleshooting with no changes, I made the realization that he most likely testing things on a AADJ client, because he is way ahead of the curve on moving to modern management 😁. This prompted me to rebuild the two test VMs I had been using previously as AADJ only (as well as fixing my Autopilot configuration and Intune enrollment settings in the process). Here’s what I found:
- An AADJ device pre-2021-08 CU will install printer drivers from any server, regardless of P&P settings
- An AADJ device post-2021-08 CU will require admin rights if the new registry item “RestrictDriverInstallationToAdministrators” has not been created, or set to 1
- An AADJ device post-2021-08 CU will behave like it did pre-CU if the registry item “RestrictDriverInstallationToAdministrators” is set to 0
The conclusion that I’ve come to is that AADJ devices ignore all configured Point and Print policies, which I somewhat understand. Point and Print is a domain-centric configuration. I should note that in my previous testing during my last post, both of my VMs were Hybrid Azure AD joined (HAADJ). It seems that the only solution with AADJ devices is to stop printing completely (good luck with that), implement V4 drivers, or implement Universal Print.
UPDATE 1: After some more testing, I’ve found that AADJ devices work as expected after applying Package Point and Print settings, since I was testing things with package-aware drivers. Unfortunately, I have not been able to get this setting to apply via configuration profile. Setting the registry items manually appears to work, so this could easily be configured in a Proactive Remediation to apply the necessary settings.
UPDATE 2: After applying the 2021-09 LCU (or the 2021-08 preview CU), bringing the OS patch level to .1200 or higher, Package Point and Print settings now work successfully via the Settings Catalog.
The new registry item
RestrictDriverInstallationToAdministrators will need to be controlled via Proactive Remediation; there is a working example of this on the WinAdmins GitHub.
Remote Desktop Printer Redirection
If you utilize RDP printer redirection in a VDI scenario, so users can print to local printers, based on my quick investigation, you shouldn’t see any issues. Printers redirected via RDP utilize the generic “Remote Desktop Easy Print” driver inside the RPD session, which is included with Windows.
V4 drivers, also known as Type 4 drivers, seem to be the ideal solution to this entire problem. Microsoft has a good deal of documentation on V4 drivers here: V4 Printer Drivers, but for a high-level overview:
- V4 drivers use a model-specific driver on the print server side.
- When clients connect to a printer on a server using a V4 driver, they do not download any driver. Instead they use a generic preloaded driver named “Microsoft enhanced Point and Print”.
- Client printer connections using the “Microsoft enhanced Point and Print” driver rely on an external application being installed to provide advanced printer functionality and support.
- In my testing, on an AADJ client, with the 2021-08 CU installed, and the “RestrictDriverInstallationToAdministrators” registry value not created, all printer connections are blocked except ones using V4 drivers.
The downside to V4 drivers is vendor support. My experience with them is specifically with Xerox devices, and they work well. Clients utilize the “Xerox Desktop Print Experience” application to provide advanced functionality, which can be easily deployed via ConfigMgr or Intune. It was mentioned in the WinAdmins Community that Ricoh also supports V4 drivers. As for other vendors, you may need to do some investigation.
I would also recommend doing application-specific testing if you plan to implement V4 drivers. I have run into applications in the past that did not play nice with them for one reason or another. Another issue with V4 drivers is OS inter-op; macOS and Linux clients do not play nice with them.
Universal Print is a relatively new cloud technology by Microsoft that can also be used to get around all of the issues of PrintNightmare. I have zero experience with it, but I wanted to mention it as a potential solution, and something to look at for the future. Microsoft documentation about it can be found here: What is Universal Print?