Security updates released on and after July 6, 2021 contain protections for a remote code execution vulnerability in the Windows Print Spooler service (spoolsv.exe)known as “PrintNightmare”, documented in CVE-2021-34527. After installing the July 2021 and later updates, non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
Note Before installing the July 2021 Out-of-band and later Windows updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server. Starting with the July 2021 Out-of-band update, administrator credentials will be required to install signed and unsigned printer drivers on a printer server. Optionally, to override all Point and Print Restrictions Group policy settings and ensure that only administrators can install printer drivers on a print server, configure the RestrictDriverInstallationToAdministrators registry value to 1.
We recommend that you immediately install the latest Windows updates released on or after July 6, 2021 on all supported Windows client and server operating systems, starting with devices that currently host the print spooler service. Next, set the “When installing drivers for a new connection” and “When updating drivers for an existing connection” in the Point and Print Restrictions Group Policy setting to “Show warning and elevation prompt”.
If both conditions are true, then you are not vulnerable to CVE-2021-34527 and no further action is needed. If either condition is not true, you are vulnerable. Follow the steps below to change the Point and Print Restrictions Group Policy to a secure configuration.
Important We strongly recommend that you apply this policy to all machines that host the print spooler service.
Restart requirements: This policy change does not require a restart of the device or the print spooler service after applying these settings.
3. Use the following registry keys to confirm that the Group Policy was applied correctly:
Warning Setting these to non-zero values make the devices on which you’ve installed the CVE-2021-34527 update vulnerable.
Note Configuring these settings does not disable the Point and Print feature.
4. [Optional] Override Point and Print Restrictions so that only administrators can install print drivers on printer servers
You have the option to override all Point and Print Restrictions Group Policy settings and ensure that only administrators can install printer drivers on a print server by configuringthe RestrictDriverInstallationToAdministrators registry value to 1.
To restrict the installation of new printer drivers, manually set the RestrictDriverInstallationToAdministrators registry value as follows:
Note There is no Group Policy setting for this restriction.
|Registry location||HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrintNote The RestrictDriverInstallationToAdministrators registry setting resides under the PointAndPrint registry location but is specific to protections for CVE-2021-34527 but is not related to point and print behavior.|
|Value data||Setting the value to0,or leaving the value undefined, allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. This is the default value. Consequently, the Point and Print Restrictions Group Policy setting can override this to allow non-administrators to be able to install signed and unsigned print drivers to a print server.Setting this value to1or any non-zero value will override all Point and Print Restrictions Group policy settings and ensures that only administrators can install printer drivers on a print server. Note: If this value is set to 0, the registry value is disabled (default or not present).|
|Restart requirements||No restart is required when creating or modifying this registry value.|
To automate the addition of the RestrictDriverInstallationToAdministrators registry value, follow these steps:
Do the fixes for CVE-2021-34527 impact the default Point and Print driver installation scenario for a client device that is connecting to and installing a print driver for a shared network printer?
No, the fixes for CVE-2021-34527 do not directly affect the default Point and Print driver installation scenario for a client device that is connecting to and installing a print driver for a shared network printer. In this case, a client device connects to a print server and downloads and installs the drivers from that trusted server. This scenario is different from the vulnerable scenario where an attacker is trying to install a malicious driver on the print server itself, either locally or remotely.