Issue Description
This issue affects the Lexmark UPD (Universal Print Driver) 2.15.1.0 & older versions and Lexmark Generational drivers.
There is a default behavior change introduced with the release of the latest Microsoft windows update on August CVE 2021-34481 for the Point and Print environment which is described in the article below.
By default, non-administrator users will no longer be able to do the following when using Point and Print:
- Install new printers using drivers on a remote computer or server.
- Update existing print drivers using drivers from remote computer or server.
Following the installation of a Windows Security update released on and after August 10, 2021, non-administrator users may see a dialog with the message "Do you trust this printer?" when trying to install a printer remotely connecting to a print server, or asking for the administrator credentials while connecting to the print server.
When the user selects 'Install driver', any non-admin user will then be presented with an error message Connect to printer - Windows cannot connect to the printer.
Note that this is not a Lexmark driver issue and applies to all package-aware version 3 driver architecture in network point and print architecture.
Solution
It is recommended that end-users follow the workaround provided by the Microsoft KB article based on the applicability.
Install print drivers when the new default setting is enforced.
If the RestrictDriverInstallationToAdministrators is set as "not defined" or "1", depending on your environment, then end users must use one of the following methods to install printers:
- Provide an administrator username and password when prompted for credentials when attempting to install a print driver.
- Include the necessary print drivers in the OS image.
- Use Microsoft System Center, Microsoft Endpoint Configuration Manager, or an equivalent tool to remotely install print drivers.
- Temporarily set RestrictDriverInstallationToAdministrators to 0 to install print drivers.
For environments which cannot use the current default behavior from Microsoft and/or follow any of the previous options.
It is recommended to use the workaround listed under the "Modify the default driver installation behavior using a registry key" section from the Microsoft KB article (set registry key RestrictDriverInstallationToAdministrators to 0) to allow non-admins to connect to the print servers and install drivers similar to the previous behavior of point and print.
Also, implement the additional group policies to configure clients to only trust specific print servers and packages, as per the "Permit users to only connect to specific print servers that you trust" and "Permit users to only connect to specific Package Point and Print servers that you trust" sections of the Microsoft KB article. This reduces the chances of exploitation of the clients.