https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as 'PrintNightmare', documented in CVE-2021-34527. After installing these and later Windows updates, non-administrators are only allowed to install signed print drivers to a print server. By default, administrators can install both signed and unsigned printer drivers to a print server. Signed drivers are trusted by the installed root certificates in the system's Trusted Root Certification Authorities.
We recommend that you urgently install the July 2021 Out-of-band updates on all supported Windows client and server operating systems, starting with devices that currently host the print spooler service. In addition, optionally configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server.
Note: After installing the July 2021 Out-of-band update, all users are either administrators or non-administrators, delegates will no longer be honored.
Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators' security group could install both signed and unsigned printer drivers on a printer server. After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.
Why clients are allowed to install printer drivers from CVE-2021-34527 patched printer servers?
In a scenario where a client is connecting to a Print server to download print drivers (Shared network Printer scenario), the changes we made as part of our fix do not come into play on the client.
For an unsigned driver, the user will see a warning and a request to elevate if the user is not admin.
For a signed driver, the driver will install successfully irrespective of admin or not.
This means a signed driver will be successfully installed on the client machine without honoring RestrictDriverInstallationToAdministrators registry key.
Explanation
This behavior is by design. The attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint |
| Value Name | RestrictDriverInstallationToAdministrators |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |