Have a Question?

Modifying ‘Point-and-Print’ restrictions on Windows Networks

‘Point-and-print’ changes
From August 2021, Microsoft have made a change to the way that ‘Point-and-Print’ works. There is now a need for administrator users to install the printer driver on clients. However, depending on the printer delivery mechanism in place, you may find that this change does not allow users to add or map printers automatically at logon (e.g. via a logon script, Group Policy Preferences, etc). This article gives advice about modifying the behaviour via GPO, see this link for more details: https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872.

Note: Please be aware that these changes reverse out the August need for the administrator user to install the print driver, so it does contain an element of risk to the network. The further changes in this article to add ‘trusted print servers’ help to mitigate this risk.

GPO Updates
To make the necessary changes on your clients, you will need to edit a Group Policy that will target all of these computers (e.g. All Computers).

  1. Open the Group Policy Management Console (gpmc.msc).
  2. Locate the Group Policy (that is delivered to all computers in your domain) and then edit this.
  3. Browse to Computer Configuration, Policies, Administrative Templates, Printers.
  4. Click ‘Point and Print Restrictions’ and select Edit.
  5. Tick the ‘Users can only point and print to these servers’ box and enter the FQDN (fully qualified domain names – e.g. server1.myschool.internal;printserver.myschool.internal) of each as a list, with a semicolon as the separator.
  6. Leave the ‘Users can only point and print to machines in their forest’ box cleared.In the Security Prompts section:
  7. Set the ‘When installing drivers for a new connection’ field to ‘Show warning and elevation prompt’.
  8. Set the ‘When updating drivers for an existing connection’ field to ‘Show warning and elevation prompt’.
  9. Click OK.

Add a Group Policy Preference to the same GPO
Still within the GPMC and editing the same GPO as in the steps above, follow the steps given below:

  1. Go to Computer Configuration, Preferences, Windows Settings, Registry.
  2. Click New and select Registry Item.
  3. Set the following fields as below:
  4. Action: Replace
  6. Key Path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  7. Value Name: RestrictDriverInstallationToAdministrators
  8. Value Type: DWORD
  9. Value Data: 0
  10. Base: Decimal
  11. Click OK to save these changes.