Skip to main content

Microsoft August 2021 updates to address Point and Print Driver CVE breaks ability to install Print Drivers for Non-Admins

Glen Porter
  • Created:
  • Updated:

Problem:

Microsoft Windows August 2021 updates to address Point and Point drivers CVE inhibits users to ability install print drivers and relegates this to admins only.  

 

Potential Effect in Relation to ProfileUnity:

Users looking to install new printers from a print server post the addition of the CVE update will likely see a UAC prompt for administrators credentials to install print driver in session

For printer information that previously existed in the users portability files likely will continue to work as it previous has as far as no UAC Prompt but will appear slow in session.  In addition assigning printers to users via the ProfileUnity Printer module will remain unaffected.  This is due to ProfileUnity elevating these functions as part of it's normal functioning.

 

Resolution:

There are a few possible and layered mitigations.

 

Print Drivers in base (see attached ps1 to front load parent with drivers in parent from print server) 

  • No UAC-Admin Prompt for non-admins users and printers appear as they previously have and are still downloaded under elevation.

 

Print Drivers not in Base

  • Will see UAC-Prompt for non admin users if they try and install a printer from print server that didn't previously exist.
  • Printers that already exist in users portability from before the Microsoft updates to mitigate CVE.   
  • Printers appear as drivers are still downloaded under elevation
  • ProfileUnity Printer Module - Functions as normal and installs/connects printer via elevation

Possible Mitigation: 

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872 

 

 

Print Drivers not in Base but installed via ProfileUnity

One scenario to seed persistent vms or physical machines with print drivers from print server would be to run the PS1 as a ProfileUnity Startup item at boot.  This can be done by running ProfileUnity as a Service as outlined in this KB: Running ProfileUnity ini at Computer Startup

  • Place the attached PS1 (remove "rename") on the network accessible to users.  For instance in scripts folder un the ProfileUnity folder on netlogon or share.
    • Edit the PS1 adding information specific to your environment 
  • Create a Manual configuration in ProfileUnity
    • Create a User Defined Script Rule
      • Add Description
      • After ProfileUnity at Logon
      • Type=PowerShell
      • File=\\server\share\AddAllPrintersFromPrintServerstobaseimage.ps1

 

Microsoft Mitigation Strategy

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872 

References:

https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change 

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481 

 

Product: ProfileUnity-FlexApp

Product Version: 6.8.4 >

 

 

Related articles