{"id":192,"date":"2021-08-16T13:52:27","date_gmt":"2021-08-16T17:52:27","guid":{"rendered":"https:\/\/www.anthonyfontanez.com\/?p=192"},"modified":"2024-03-21T09:18:05","modified_gmt":"2024-03-21T13:18:05","slug":"printnightmare-point-and-print-part-ii","status":"publish","type":"post","link":"https:\/\/anthonyfontanez.com\/index.php\/2021\/08\/16\/printnightmare-point-and-print-part-ii\/","title":{"rendered":"PrintNightmare &#038; Point and Print, Part II"},"content":{"rendered":"\n<p><em>UPDATE 1: After further testing with AADJ devices, I&#8217;ve found that it seems to work as expected with Package Point and Print settings. Details below.<\/em><\/p>\n\n\n\n<p><em>UPDATE 2: More Package Point and Print details<\/em><\/p>\n\n\n\n<p>PrintNightmare, it&#8217;s the gift that keeps on giving. After lots of discussion in the WinAdmins community, I&#8217;m back with three additional items that I wanted to go over: the impact on Azure AD joined devices, Remote Desktop printer redirection, and V4 printer drivers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Azure AD Joined (AADJ) Devices<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>After some discussion in the <a href=\"https:\/\/winadmins.io\" data-type=\"URL\" data-id=\"https:\/\/winadmins.io\" target=\"_blank\" rel=\"noreferrer noopener\">WinAdmins community<\/a>, <a rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/jgkps\" data-type=\"URL\" data-id=\"https:\/\/twitter.com\/jgkps\" target=\"_blank\">Johannes<\/a> mentioned that he was seeing the Point and Print settings completely ignored. After a bit of troubleshooting with no changes, I made the realization that he most likely testing things on a AADJ client, because he is way ahead of the curve on moving to modern management \ud83d\ude01. This prompted me to rebuild the two test VMs I had been using previously as AADJ only (as well as fixing my Autopilot configuration and Intune enrollment settings in the process). Here&#8217;s what I found:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An AADJ device pre-2021-08 CU will install printer drivers from any server, regardless of P&amp;P settings<\/li>\n\n\n\n<li>An AADJ device post-2021-08 CU will require admin rights if the new registry item &#8220;RestrictDriverInstallationToAdministrators&#8221; has not been created, or set to 1<\/li>\n\n\n\n<li>An AADJ device post-2021-08 CU will behave like it did pre-CU if the registry item &#8220;RestrictDriverInstallationToAdministrators&#8221; is set to 0<\/li>\n<\/ul>\n\n\n\n<p><s>The conclusion that I&#8217;ve come to is that AADJ devices ignore all configured Point and Print policies, which I somewhat understand. Point and Print is a domain-centric configuration. I should note that in my previous testing during my last post, both of my VMs were Hybrid Azure AD joined (HAADJ). It seems that the only solution with AADJ devices is to stop printing completely (good luck with that), implement V4 drivers, or implement Universal Print.<\/s><\/p>\n\n\n\n<p><strong>UPDATE 1: <\/strong>After some more testing, I&#8217;ve found that AADJ devices work as expected after applying Package Point and Print settings, since I was testing things with package-aware drivers. Unfortunately, I have not been able to get this setting to apply via configuration profile. Setting the registry items manually appears to work, so this could easily be configured in a Proactive Remediation to apply the necessary settings.<\/p>\n\n\n\n<p><strong>UPDATE 2: <\/strong>After applying the 2021-09 LCU (or the 2021-08 preview CU), bringing the OS patch level to .1200 or higher, Package Point and Print settings now work successfully via the Settings Catalog.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"775\" height=\"779\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-64.png\" alt=\"\" class=\"wp-image-403\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-64.png 775w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-64-298x300.png 298w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-64-150x150.png 150w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/09\/image-64-768x772.png 768w\" sizes=\"auto, (max-width: 775px) 100vw, 775px\" \/><figcaption class=\"wp-element-caption\">Intune Configuration Profile &#8211; Settings Catalog Point &amp; Print Settings<\/figcaption><\/figure>\n<\/div>\n\n\n<p>The new registry item <code>RestrictDriverInstallationToAdministrators<\/code> will need to be controlled via Proactive Remediation; there is a working example of this on the <a href=\"https:\/\/github.com\/windows-admins\/Intune\/tree\/main\/Proactive%20Remediations\/PrintNightmare\" data-type=\"URL\" data-id=\"https:\/\/github.com\/windows-admins\/Intune\/tree\/main\/Proactive%20Remediations\/PrintNightmare\" target=\"_blank\" rel=\"noreferrer noopener\">WinAdmins GitHub<\/a>.<\/p>\n\n\n\n<p>2024-03-21 Update: The <code>RestrictDriverInstallationToAdministrators<\/code>` setting is now configurable via Settings Catalog profile, so no more need for a Remediation!<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"334\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image-1024x334.png\" alt=\"\" class=\"wp-image-969\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image-1024x334.png 1024w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image-300x98.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image-768x250.png 768w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image-1536x500.png 1536w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2024\/03\/image.png 1682w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Remote Desktop Printer Redirection<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>If you utilize RDP printer redirection in a VDI scenario, so users can print to local printers, based on my quick investigation, you shouldn&#8217;t see any issues. Printers redirected via RDP utilize the generic &#8220;Remote Desktop Easy Print&#8221; driver inside the RPD session, which is included with Windows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">V4 Drivers<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>V4 drivers, also known as Type 4 drivers, seem to be the ideal solution to this entire problem. Microsoft has a good deal of documentation on V4 drivers here: <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/v4-printer-driver\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/v4-printer-driver\" target=\"_blank\">V4 Printer Drivers<\/a>, but for a high-level overview:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>V4 drivers use a model-specific driver on the print server side.<\/li>\n\n\n\n<li>When clients connect to a printer on a server using a V4 driver, they <strong>do not<\/strong> download any driver. Instead they use a generic preloaded driver named &#8220;Microsoft enhanced Point and Print&#8221;.<\/li>\n\n\n\n<li>Client printer connections using the &#8220;Microsoft enhanced Point and Print&#8221; driver rely on an external application being installed to provide advanced printer functionality and support.<\/li>\n\n\n\n<li>In my testing, on an AADJ client, with the 2021-08 CU installed, and the &#8220;RestrictDriverInstallationToAdministrators&#8221; registry value not created, all printer connections are blocked <strong>except <\/strong>ones using V4 drivers.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/cdn.discordapp.com\/attachments\/874957362052595722\/875760189599518720\/unknown.png\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Client-side driver used with a V4 printer connection<\/figcaption><\/figure>\n<\/div>\n\n\n<p>The downside to V4 drivers is vendor support. My experience with them is specifically with Xerox devices, and they work well. Clients utilize the &#8220;Xerox Desktop Print Experience&#8221; application to provide advanced functionality, which can be easily deployed via ConfigMgr or Intune. It was mentioned in the WinAdmins Community that Ricoh also supports V4 drivers. As for other vendors, you may need to do some investigation.<\/p>\n\n\n\n<p>I would also recommend doing application-specific testing if you plan to implement V4 drivers. I have run into applications in the past that did not play nice with them for one reason or another. Another issue with V4 drivers is OS inter-op; macOS and Linux clients do not play nice with them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Universal Print<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Universal Print is a relatively new cloud technology by Microsoft that can also be used to get around all of the issues of PrintNightmare. I have zero experience with it, but I wanted to mention it as a potential solution, and something to look at for the future. Microsoft documentation about it can be found here: <a href=\"https:\/\/docs.microsoft.com\/en-us\/universal-print\/fundamentals\/universal-print-whatis\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/en-us\/universal-print\/fundamentals\/universal-print-whatis\" target=\"_blank\" rel=\"noreferrer noopener\">What is Universal Print?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE 1: After further testing with AADJ devices, I&#8217;ve found that it seems to work as expected with Package Point and Print settings. Details below.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9,7],"tags":[5,3],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-printing","category-security","tag-printing","tag-security"],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":7,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":971,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/971"}],"wp:attachment":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}