CVE-2021-34481 enables local privilege escalation to the SYSTEM level. To compromise a system, a threat actor would need physical access, or the system would need to be already compromised. To mitigate this, Microsoft decided to completely kill the ability for non-admin users to install print drivers hosted by a print server. The following GPO settings will disable that new behavior and lock down Point nd Print settings to only allow the connections to a trusted server and then silence the admin prompts per usual.


Computer Configuration (Enabled)

Policies

 - Windows Settings

 -- Security Settings

 --- Local Policies/Security Options

 ---- Devices

 ---- Policy Setting 

 ---- Devices: Prevent users from installing printer drivers Disabled 


 - Administrative Templates

 - Policy definitions (ADMX files) retrieved from the central store.

 -- Printers

 --- Package Point and print - Approved servers Enabled  

 ---- Enter fully qualified server names 

 ---- print.domain.local 

  

 --- Point and Print Restrictions Enabled  

 ---- Users can only point and print to these servers: Enabled 

 ----- Enter fully qualified server names separated by semicolons print.domain.local 

 ---- Users can only point and print to machines in their forest Disabled 

 ---- Security Prompts: 

 ----- When installing drivers for a new connection: Do not show warning or elevation prompt 

 ----- When updating drivers for an existing connection: Do not show warning or elevation prompt


 -- System/Driver Installation

 ---  Allow non-administrators to install drivers for these device setup classes Enabled  

 ----  Allow Users to install device drivers for these classes: 

 ----- {4658ee7e-f050-11d1-b6bd-00c04fa372a7} (Printer)

 ----- {4d36e979-e325-11ce-bfc1-08002be10318} (PNPPrinter)


Preferences

 - Windows Settings

 -- Registry

 --- RestrictDriverInstallationToAdministrators (Order: 1)

 ----- General

 ------  Action Update 

 ----  PropertiesHive HKEY_LOCAL_MACHINE 

 ----  Key path Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint 

 ----  Value name RestrictDriverInstallationToAdministrators 

 ----  Value type REG_DWORD 

 ----  Value data 0x0 (0



User Configuration (Enabled)

 - Policies

 -- Administrative Templates

 -- Policy definitions (ADMX files) retrieved from the central store.

 --- Control Panel/Printers

 ---- Package Point and print - Approved servers Enabled

 ----- Enter fully qualified server names 

 ----- print.domain.local


 ---- Point and Print Restrictions Disabled