Allow users to install printer drivers
By default, regular non-admin users cannot install printer drivers in Windows due to insufficient privileges. By default Windows security settings require a user to have local admin permissions to install a driver. However, there are scenarios where you might need standard users, to install print drivers. While this can improve user productivity and reduce the IT department’s workload, it comes with certain risks.
Setting Up Permissions for Non-Administrators to Install Print Drivers
You can allow non-admin users to install print drivers by using GPO, registry settings or as I prefer, remediation script. The later is the way I am showing in this blog.
Detection script
First we create a PowerShell script to check the current status of the settings:
$regkey="HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$name="RestrictDriverInstallationToAdministrators"
$value=0
If (!(Test-Path $regkey))
{
Write-Output 'Key not available - start remediation!'
Exit 1
}
$check=(Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue).$name
if ($check -eq $value){
write-output 'Registry key detected - no remediation required.'
Exit 0
}
else {
write-output 'Value bad, no value or could not read - start remediation!'
Exit 1
}
Remediation script
We use another script to change the registry setting:
$RegistryPath = 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint'
$Name = 'RestrictDriverInstallationToAdministrators'
$Value = '0'
$KeyType = 'DWord'
If (-NOT (Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force | Out-Null
}
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType $KeyType -Force
Setup a Remediation in Intune
Now that you have the PowerShell scripts, Let’s deploy it.
- Sign in to Intune admin portal
- Navigate to Devices > Windows and Scripts and remediations.
- Click + Create to create a new remediation
- Name the script something meaningful, such as “Allow Printer Install”
- Upload the scripts
- Assign it to your target groups.
Security Risks of Allowing Non-Admins to Install Print Drivers
While this setup can make it easier for both IT and the users, it comes with some security risks:
Driver Vulnerabilities
Allowing users to install drivers can introduce vulnerabilities, as drivers often run with high privileges. If a malicious or compromised driver is installed, it can lead to a system-wide compromise.
Malware Infiltration
Printer drivers downloaded from unknown or untrusted sources may contain malware. Non-technical users might inadvertently download and install drivers that contain malicious code, bypassing security controls that would typically block such activity.
Privilege Escalation
Malicious actors may exploit printer drivers as an entry point for privilege escalation attacks. Since drivers operate at a system level, an attacker who can exploit a flaw in the driver could gain administrative-level control of the device.
Data Leakage
Poorly secured drivers or configurations may allow attackers to intercept print jobs, leading to potential data leakage. Sensitive documents could be captured as they are sent to a compromised printer.
Increased Attack Surface
Each installed driver adds to the attack surface of the system. By allowing non-admins to install drivers, you increase the number of potential vulnerabilities on the network, especially if the installed drivers are outdated or have known security flaws.
Mitigating the Risks
While the above risks are serious, there are ways to mitigate them:
- Restrict Driver Sources: Use the Point and Print Restrictions to allow driver installations only from trusted servers or vendors. You can find a good blog post about it on Florian Salzmans blog.
- Keep Drivers Updated: Ensure that users are installing the latest drivers with security patches. Implement a system that regularly checks for driver updates.
- User Education: Train users on the importance of downloading drivers only from trusted sources and make it clear which servers or URLs they should use.
- Limit Permissions: Instead of allowing all users to install drivers, limit this capability to specific user groups who need it, reducing the potential attack surface.
- Endpoint Protection: Ensure strong endpoint protection policies are in place, such as firewalls, antivirus, and behaviour analysis tools that can detect malicious activity related to driver installation.
- Monitor Logs: Regularly monitor system and event logs to detect any suspicious activity involving driver installations or printer usage.