MDM & GP Tips Blog

In my last blog segment, I used MEM to configure some policies related to Windows updates.  Let’s now see what happens behind the scenes because there is an awful lot that goes on each time a policy assigned device goes seeking updates.

In this instance, I have a policy Feature Update Deployment policy assigned to a desktop PC that currently hosts Windows 10 21H1.  Since 21H1 was released back in April of 2021, it obviously needs updating.  Let’s say I have been working remotely from home for a using my laptop and haven’t been to the office in months.   In the feature update policy, I created I chose to deploy Windows 11.  I also chose a specific time frame that it would be made available as I want to give our IT team additional time to test for Windows 11 compatibility issues concerning our application portfolio.  In this case I chose February 21, 2022, as the earliest available date.  The PC is also assigned to a business update ring that has a quality update deferral period of 7 days.

On February 11, I return to the office for a department meeting and power up the desktop.  MEM has already contacted Windows Update and provided the PCs ID and the targeted feature update to be deployed.  MEM also will deliver any new policies that have been assigned to the PC since the last time it was online.  In this case it includes the Business Update for Ring policy settings.  Next the PC will contact the cloud to seek possible updates.  In doing so, the PC informs Windows Update of any assigned deferral periods, its current OS version, and its revision status.  This entire process is outlined in the diagram below.

Let’s see what happens first regarding feature updates.  There are two feature updates available on February 11 for the PC - Windows 10 21H2 and Windows 11.  Because the targeted feature update policy dictates Windows 11, 21H2 is out of the picture.  Windows 11 would be made available if it wasn’t for the deployment period I specified which starts on February 21.  That means no feature updates for our desktop PC today.

Now let’s look at Quality updates.  Since my computer hasn’t been powered up in quite a while, its missing a lot of quality updates so it’s revision status is quite outdated.  Fortunately, quality updates are cumulative, so I don’t have to download the updates released every single month since it was last powered on.  Quality updates are released on the 2^nd Tuesday of each month.  This means the most recent release date was February 8.  Because I have a deferral period of 7 days, February updates will have to wait a few more days before they are made available.  As a result, the January Quality updates will be applied to my desktop. 

I then spend the next few days using my laptop at home and return to the office on February 16.  Once again, my desktop PC checks in for Windows updates and because the deferral period is now over, February quality updates are now downloaded and installed.  Windows 11, however, will remain elusive until the 21^st.  On February 23^rd, I return to the office and Windows 11 is now available.  For the update to be issued, Windows Update must first determine if it is compatible or not.  This is performed automatically using Windows Update for Business.  If you have Update Compliance configured in Azure along with a Log Analytics Workspace, you can verify the compliance status of any listed device.  While the PC itself may exceed the compliancy requirements of Windows 11, the update can still be deferred due to a safeguard hold assigned by Microsoft.  Safeguard holds prevent devices with a known compatibility issue from receiving a new feature update.  For instance, an installed application on the device may have compatibility issues with Windows 11.  You can read more about safeguards here in one of my other blogs.  In this instance, there is a safeguard hold assigned to my desktop so until a fix is released for that issue it will have to wait on Windows 11 for a while.

More to it than Meets the Eye

As you can see, there are a lot of moving parts when it comes to Windows Updates for Business.  In our remaining segment, we will wrap up our discussion by looking talking about compliance deadlines, automatic restarts, and touch on Group Policy one last time. 

Think of WSUS as version 1.0 for managing Windows updates.  Windows Update for Business can be considered version 2.0 as it is the next evolutionary step for managing updates for Windows 10 and Windows 11.  Unlike WSUS, clients connect directly with Microsoft Endpoint so there is no intermediary server involved.  All you need is a management tool such as Group Policy Management Console, an MDM tool such as Microsoft Endpoint Manager or a third-party management tool.  The management tool is where you create the update policies and assign them to designated device groups.  Once the clients receive the policy, they contact Microsoft endpoint which sends them one or more updates depending on the client’s provided inputs.  If you have the Windows Update for Business Deployment service installed, the manager can talk directly with Microsoft Endpoint as well.

Deferring and Pausing Updates

One of the enhanced features that Windows Update for Business provides is the ability to defer the installation of both feature and quality updates for a specified number of days.  The deferment period depends on the type of update as shown below.

Update Category                             Maximum deferral period

Feature updates                                             365 days

Quality updates                                                30 days

Non-deferrable                                                   0 days

You can also choose to pause quality or feature updates all together.  This is similar to deferring an update except you specify an exact date.   Beginning on that date, updates are paused for 35 days.  This is useful if you discover that one of the recent updates is causing problems and you want to buy some time to conduct further testing.   You can configure the required settings to defer or pause an update using Group Policy.  Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business where you will see several policy options.  In the screenshot below, we have configured a deferment period of 15 days as well as a specific date to start pausing Quality updates.

Windows Update Rings

Windows Update for Business also gives you the ability to create update rings to fine tune the deployment of quality and feature updates.  Rings specify how and when quality and Windows 10 and Windows 11 feature updates are applied.  For instance, let’s say you want to deploy the Windows 11 feature update.  For a large corporation you certainly wouldn’t want to install it on everyone’s computer at once right out of the gate.  You would probably want your IT personnel group to receive the update first to allow them to test it out first.  That would mean creating a fast update ring and assigning it to them.  You would next want to update devices for power users such as software developers, graphical artists, etc.  You would create a slower ring and, and so on.  Below is an example of a 3-ring architecture.

You can create these rings using the Group Policy Management Console.  Create a GPO and go to Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select “When Preview Builds and feature updates are Received.”  Enable the policy and select the ring of your choice as is shown in the screenshot below.  Then assign a deferral period for that ring.  In the example below we have chosen a 2-day deferral period for the Fast Ring.  We would then choose a longer period of perhaps 45-days for the slow ring.

To create rings for Quality Updates you would create a policy and go to Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received. 

Using MEM to Manage Windows Updates for Business

You can also use Microsoft Endpoint Manager to manage Windows Updates for Business.  If you open  MEM and go to Devices you will see 3 options.

A small enterprise may not feel the need to utilize multiple update rings.  If you want to simply deploy Windows 11 at large, click “Feature updates for Windows 10 and later” and select Windows 11 as the feature update.  You can then choose between pushing the update as soon as possible, making it available on a specific date or gradually dispersing the update across your enterprise.  In the example below I chose the third option and set a start and finish time for the deployment.

If you want to use update rings, the process is similar.  Create a ring with your desired settings and assign it to a designated group.  Note below the addition of an uninstall period that you can assign. 

You can also configure User Experience settings for each ring.  User experience settings give your users the ability to defer updates on their own when necessary.  This would be important for a sales executive that is attending a sales conference for instance and needs the full use of their computer for an extended time.  For instance, you can configure a grace period that specifies the number of days until a device is forced to restart.  This would be useful for users returning to the office from extended leave or a long holiday period.  You should first configure the active hours so that update-initiated reboots do not occur during this critical time window.  You can then configure deadlines.  In the screenshot below, users could defer feature updates on their own for 7 days, at which point the update would forcibly install.

Service Channels

Finally, there is something called Service Channels.  Service channels define when features updates will be available.  For instance, someone that is a member of the Windows Insider Program probably wants to receive feature updates in advance to preview them.  Internal IT needs access to new feature updates ASAP to validate them for their desktop environments.  These four channels are as follows:

• General Availability Channel – This is the default channel
• Windows Insider Dev
• Windows Insider Beta
• Windows Insider Release Preview

You can create policies using Group Policy or MDM to create policies that assign these channels.

Putting it all Together

Windows Update for Business obviously has a lot more moving parts than the media or WSUS methods.  Things can get complex quickly.  In part 3 of our ongoing series, we will look at an environment involving multiple Windows feature versions and deferral settings to see how the underlying processes occur to ensure that each device receives the updates it needs. 

Managing Windows updates is one of the most important functions for Windows admins today.  The methodologies available to manage and deliver updates to Windows servers, desktops and laptops has changed a lot over the years.  In this 4-part series, we will outline the different management options that are available today and break down how Windows Update Manager works and why it should be the preferred management alternative for today’s enterprises.  Before we get started, define what we mean by Windows updates.

Types of Windows Updates

There are two broad categories of Windows updates.  The first is quality updates.  These are the updates that are mostly released on what we have come to traditionally know as ‘Patch Tuesday.’  Quality updates are referred to cumulative updates or maintenance updates.  Most quality updates are released to either address a security issue or fix a problem to improve the reliability and security of Windows.  These are known as mandatory updates.  Other quality updates may provide some preview enhancements of existing features.  A reboot may be required once all the newly downloaded quality updates are installed. 

Then there are feature updates.  Feature updates are made available twice a year and are known as semi-annual releases.  You can think of a feature update as a new version of Windows.  Feature updates can be deferred for up to 365 days although each new version is only supported by Microsoft for a period of 18 months which is another benefit of updating.  Feature updates can introduce new features as well as visual changes to the operating systems.  The objective here is to constantly improve the Windows operating system.  A feature update may require a series of reboots to complete the update process.   

Now let’s look at the three primary ways of managing Windows updates.

Media

This is the most basic way of all to manage Windows updates.  Here the computer contacts Microsoft Endpoint directly to learn of any available updates.  The local admin of the computer can then choose to either download and install those updates at a designated time or defer them to the automated process.  This one-to-one relationship is shown below.

Obviously, this method is not suitable for enterprise environments as there is no way to centrally manage the updates of multiple machines.  It is designed for personal users or very small SOHO environments. 
 

Windows Server Update Services

Windows Server Update Services (WSUS) has been around for a long time and used to be the primary way that admins managed Windows updates for enterprise environments.  WSUS was designed back in the days of a totally on-prem world.  Think of the WSUS server as a repository for Windows updates.  Rather than each Windows machine directly contacting Microsoft for updates and using a lot of precious bandwidth in the process, the WSUS server downloads all updates and retains them on local storage.  Besides the WSUS server itself, WSUS also requires a manager which can be one of the following:

• The WSUS Stand-alone console
• Group Policy
• MEM CONFIG Manager
• A third-party management tool

Regardless of which management tool you choose, you must create policies to govern the Windows update process.  The policy must identify the WSUS server and outline when updates will occur.  These policies can be assigned to either device groups or the devices themselves.  The admin then approves which updates they want to distribute.  The manager then then informs the WSUS server of the newly approved list.  When prompted by their assigned policies, Windows devices then scan their updates against the WSUS server itself.  The WSUS server then offers each device any approved updates that it is missing.  This process is outlined below.

WSUS was an ideal solution for managing Windows updates for enterprise environments at one time.  There are two primary limitations of WSUS currently.  The first is the fact that Microsoft has not provided any enhancements to WSUS in years, and it will eventually be deprecated.  The bigger factor however is that the world has changed in recent years.  WSUS cannot adequately service hybrid work models and remote work strategies as all Windows desktops must be connected in some way to the local network.  For this and other reasons, Windows Update for Business is a better choice in many cases.  In our next blog segment, we will look at the architecture of Windows Update for Business and how to implement it.

Microsoft recently released the Chromium-based Microsoft Edge 95 version to Stable channel for Windows and Mac, which coincides with a new security baseline for it as well.  Some of the new features of the new Edge version include the following:

• A new efficiency mode that becomes active when a laptop enters battery saver mode so that the two work in tandem to extend the battery life of the machine.
• The ability to pick up where you left off on PDF documents and resume your review of the documents.
• The ability to update your passwords with fewer clicks as the browser will navigate a user to the Change Password page for a given website assuming that the website supports that feature.  The browser will also suggest a strong, unique new password. 
• Supports free form text boxes within PDF documents that allows users to use them to fill out a form. 

Because the browser today is the most frequently used application, it is critically important to keep your security baselines up to date to ensure you are running best practice.  MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines.  A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices.  Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that will address fundamental security and compliance issues.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  You can download the new security baseline package here by selecting the Microsoft Edge v95 Security Baseline.zip file. 

The Benefits of Using Security Baselines

While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state.  There are several benefits of using security baselines offered by Microsoft.

• They are already configured by Microsoft security experts
• They enforce settings that mitigates contemporary security threats.
• Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
• They ensure that users and device configuration settings are compliant with the baseline

Installing the Microsoft Edge v93 Security Baseline

Once downloaded, you will see that the package contains multiple folder directories as is shown below.  Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files.  You can download the template files directly from the Microsoft website for any of the current Edge versions.  You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Then choose the location where you want to link the new policy and browse for the new MSFT Edge 95 – Computer.

In my case, I chose the East Sales OU to link it.  Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects.  The screenshot shows the enclosed settings below.

There are two new security baseline settings.  The first is “Enable browser legacy extension point blocking” which blocks code injection from third party applications on the new Edge browser.  The setting is enabled by default as is shown below.

The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped.  It allows web applications using the getDisplayMedia() API to bypass a permission policy check required by the API specification This setting is only temporary and will be deprecated after Microsoft Edge 100.  It is intended to block Enterprise users whose application is non-spec compliant.  The setting is enabled by default as is shown below.

All in all there were 1 new computer settings and 1 new user settings for Microsoft Edge version 95 with 3 settings being removed.  You can learn more about these settings here.

Microsoft has a new operating system, which means we need a new security baseline.  Microsoft released the new package on October 5 which features two new settings and some recommended setting changes.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues.  The baseline settings are preconfigured by Microsoft security specialists and have been tested for proven compatibility. 

Installing the Windows 11 Security Baselines

Once you download the package you will see that it contains multiple folder directories as is shown below.

If you don’t have the Windows 11 ADMX/ADML templates, you can copy them from the Template folder and paste them into your central store.  The templates are shown below.

The real purpose of the package is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Domain Security GPO

Let’s look at some of the settings included in the package.  The package includes a GPO called MSFT Windows 11 – Domain Security.  A big change here is the recommended password length.  While a 14-character password has been supported on multiple Windows 10 versions, Security Baselines have continued to enforce an 8-character password length only, which remains a standard in the industry.  The Windows 11 baseline has now increased the minimum password length to 14-characters as shown in the screenshot below.  Advanced password breaking applications powered by readily available increased CPU power has made the 8-character passwords far too vulnerable as they can be potentially cracked in mere hours.

It is highly recommended that you confirm that all your systems and applications are compatible with a password of this length before you enact this policy.  It’s a good idea to first Enable the ‘MinimumPasswordLengthAudit’ Group Policy setting which is located at Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length audit.  Enabling this setting will provide insights into the potential impact of increasing your password length.

Restrict Printer Driver Installations

In July of 2021, Microsoft released CVE-2021-34527 which patched a remote code execution vulnerability in the Windows Print Spooler service.  Essentially, it prevents non-admin users from installing a print driver, which caused a great deal of havoc early on as enterprises that freely allowed standard users to install print drivers were inundated with calls to the helpdesk.  I wrote a blog back in August called the Utlimate Guide to PrintNightmare that lists the options you now have as a result of the update.  Note that Microsoft has added this setting to the Windows 11 Security Baseline as is shown in the screenshot below.

Microsoft Legacy Edge is No More

As Microsoft Edge Legacy reached EOL earlier this year, it is not a part of Windows 11.  That means that all its supported settings have been removed from the baseline.  Only Chromium Edge is now supported.

Script Scanning

According to Microsoft, script scanning was a parity gap between Group Policy and MDM.  As the gap has now been closed, Microsoft is enforcing the enablement of script scanning in this baseline.  Enabling script scanning means that scripts are scanned before being executed to determine their threat status. 

One thing lacking in the Group Policy version of Windows 11 Baseline Security is the ability to enable Microsoft Defender for Endpoint's tamper protection feature which is available using Microsoft Endpoint Manager.  Microsoft does encourage you to enable it however using other means.  More information here.

Last month, Microsoft released a security baseline for Microsoft Edge version 93.  While there isn’t a whole lot new here it’s important to keep your security baselines up to date in order to ensure you are running best practice.  You can download the latest security baseline packages here by selecting the Microsoft Edge v93 Security Baseline.zip file.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues.  The baseline settings are preconfigured by Microsoft security specialists and have been tested for compatibility. 

Installing the Microsoft Edge v93 Security Baseline

Once downloaded, you will see that the package contains multiple folder directories as is shown below.  Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files.  You can download the template files directly from the Microsoft website for any of the current Edge versions.  You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

In my case, I chose the East Sales OU, and I linked the MSFT Edge Version 93 – Computer GPO.  Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects.  Now let’s look at the preconfigured settings below.

There is only one newly enforced setting and that is the disabling of 3DES which is outlined in the screenshot above.  In Microsoft Edge version 95, the 3DES encryption cipher is completely removed and will no longer function so this is way to prepare you for the inevitable deprecation of it. The upcoming baseline security release will have the 3DES setting completely removed.

The other thing new is an addition by subtraction setting.  Since Adobe Flash support has now ended and been removed from Microsoft Edge completely, there is no need to enforce the setting that disabled Flash. 

All in all there were 31 new computer settings and 26 new user settings for Microsoft Edge version 93 which you learn more about here.

Believe it or not, the new Chromium-based Microsoft Edge browser has grown by 1,300 percent in the past year.  One of the contributing reasons to its popularity surge is the perpetual release of innovation that Microsoft unveils on a regular basis in the form of feature updates.  At the same time, Microsoft is aware that many enterprises want to have some degree of control over how often these new features are distributed to their users. 

• Stable Channel
• Beta Channel
• Dev Channel
• Canary Channel

The Canary Channel puts you on the bleeding edge, providing you with the newest innovations as quickly as possible.  At the top of the chain is the Stable Channel which is best suited for production environment and intended for broad deployment throughout your organization.  Microsoft has traditionally released feature updates every 6 weeks for the Stable Channel and Beta Chanel.  Microsoft is making some changes however starting with Microsoft Edge 94., which is currently scheduled to be released for the Beta Channel beginning the first week of September.  Those using the Stable Channel will have to wait until the week of September 23.  You can see the complete Microsoft Edge release schedule here.

Starting with Microsoft Edge 94, Microsoft is switching to a 4-week release cycle.  Part of this is in reaction to Google’s announcement to do the same thing for Chrome version 96 in the fourth quarter of 2021.  Another reason though is to feed the insatiable appetite that users have for new innovative features.  This of course is what agile software development is all about.  Microsoft knows however that not every enterprise is ready to adapt to a shortened release window.  For organizations that want to move more cautiously, Microsoft will bring a new release channel called “Extended Stable” which will provide a longer 8-week release timeline.  Like the current channels, admins can opt-in to this channel using either Group Policy or Microsoft Endpoint Manager.  If you don’t create a policy for the new channel, Microsoft Edge will default to the 4-week release cycle.

Those who go with the 8-week Extended Stable release option will receive cumulative feature updates aligned with even-numbered releases.  Any feature updates of an odd-numbered release will be then delivered as part of the subsequent numbered release.  Microsoft will continue to provide Assisted Support for the three most recent Stable Channel releases that equates to approximately 12 weeks.  Assisted Support will be available for the two most recent Extended Stable channel releases which equates to 16 weeks.  For more information you can refer to the Microsoft Edge Lifecycle Policy.

Keep in mind that security patches and fixes operate independently and will continue to be deployed as needed.  If you don’t use Windows Update for Business to manage updates, you can always download Microsoft Edge updates using Windows Services Update Server (WSUS).

Background and Timelines

Printing is something that most admins don’t want to think about. This tweet (which is a single picture) sums up most admins’ perspective about printers:

https://twitter.com/nixcraft/status/1428786599479988227 

That being said, the original gory details of WHAT the vulnerability is, which include a privilege escalation and remote code execution can be found here: https://www.csoonline.com/article/3623760/printnightmare-vulnerability-explained-exploits-patches-and-workarounds.html

You can be forgiven for not wanting to go too too deep here. But the gist is: If the bad guys convinced your users to click on a thing, that would automatically install an “evil driver” which would then give the bad guy full admin access. I’m summarizing a little bit, but that’s the gist.

Essentially: you are / were open to attack and have to fix it. 

Okay. Got it. So what does fixing it look like? 

There’s three dates we have to take into consideration for the discussion:

• Anything before July 6th.

• Between July 6th and Aug 10.

• Anything after Aug 10.

Let’s break down each date and method here.

Before July 6: How would you mitigate Printnightmare WITHOUT any patches

Microsoft’s recommendations which would at least “Shut the door” on possible attacks (BEFORE the July and Aug patches.)

Tip: These are / were PREVIOUS recommendations (applicable if you don’t have patches everywhere:

1. Completely disable the Print Spooler Service:

   1. DCs because they’re important

   2. Everywhere else because they’re important too.

2. Use the “Allow Print Spooler to accept client connections” and set to DISABLE. This will keep the the print spooler service running, but prevent REMOTE connections to the Print Spooler Service. And, moreover, it still works LOCALLY from the machine for local print jobs. It just prevents sharing printers for OTHER machines. This setting is actually a good mitigation on workstations, which in most cases do not need to share their printers with anyone else.  Note that after this setting is deployed it requires a reboot of the system or at least a restart of the spooler service.  (Thanks to Haemish Edgerton for the clarity adjustment here.)

3. You can use GPPrefs SERVICES or Powershell scripts or whatever to also do the same thing. 

Now the print spooler services are stopped dead. Printing has now stopped. 

Now what?

Dateline: July 6th - The Patch Arrives

The July 6th patch seemed like it would get the problem solved. From the July patch notes: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 

After putting the July 6th patch everywhere, Microsoft ALSO suggested that you use “Point and print Restrictions” policy setting to force “Show warning and elevation prompt” as follows:

Result:

Setting the value to 0, or leaving the value undefined, allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. This is the default value. Consequently, the Point and Print Restrictions Group Policy setting can override this to allow non-administrators to be able to install signed and unsigned print drivers to a print server.

But one day later, this was overcome with some example code. Here’s the original tweet and video: https://twitter.com/gentilkiwi/status/1412771368534528001 

Ack ! Back to Printnightmare and re-shut down all print servers ! OMG.. run for the hills !

Now the print spooler services are stopped dead. Printing has now stopped. 

Now what?

Dateline: Aug 10 - Patch 2 is released (Aka Slam the door shut / no more non-admin access for Print Drivers.)

That’s it, no more Mr. Nice guy. Microsoft decides to go nuclear at this problem. They release another Patch for Aug 10.

From: https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78 

Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers.

Net results: 

1. You need to be a local admin to do anything Printer-y. Technically this was already true; as standard users could never install, say, local print drivers from some unusual source.

2. Users who are used to finding printers by the Click to Print method are simply blocked at showtime.

Now, there’s a little SIDE NOTE here (Tip of the Hat to Hasain Alshakarti from TRUESEC security @Alshakarti). The door MAY NOT EVEN BE COMPLETELY SHUT. MS released CVE-2021-36958 Aug 11, 2021 that describes the LPE/RCE Windows Print Spooler Remote Code Execution Vulnerability.  Depending on the version of the driver the elevation prompt is not triggering as shown by Benjamin Delphi as seen here https://twitter.com/gentilkiwi/status/1425154484167188480 

Here’s what it looks like (in pictures, not a video) when a user attempts to click to print on a printer (where the drivers have never been installed).

Step 1: Find the printer and get initial prompt

Step 2: Final prompt requiring local admin access to proceed

So, the August 10th patch really did close the door for the good guys.

Now what? How do we let them back in?

Now that the door is shut, how do we open it for SOME people?

So first thing’s first. If the spooler is stopped by ANY of those original methods above, then, nothing else is ever going to work. You’ll have to back out any change which killed the printer spooler.  

Then, after that I’ve rounded up a few POSSIBLE workarounds. Some anecdotally and others from Microsoft’s guidance here (https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) which we’ll review in a bit.

Additionally, I want to show how there’s also a slew of other workarounds if you happen to be a PolicyPak Customer. I’ll field these at the end.

Tip 1: Just keep using Group Policy Preferences to deliver printers to those who need it. (Maybe. Will likely work.)

So this whole Printnightmare is basically trying to solve the problem of a user making a choice where to print (and that vector being insecure.) 

But there isn’t any problem with real admins making choices to deliver printers via Group Policy Preferences (even after the patches are in place.) That still works. Sure, I realize this is a little “Apples and Oranges.” Because GP Preferences is not “Click to Print”.

But if you could use Group Policy Preferences to mass-deliver printers like this to your domain-joined machines, you could still be a-ok. Here’s an example.

Note there still can be problems. If the server is 2016 (or OLDER, like 2012, 2012R2)... and the drivers are “v3” drivers, then… users are still prompted to re-install them as admins. Gah ! The workaround is to upgrade your server’s print drivers to v4 drivers if they are available (which, there may not be.) 

Tip: If you want to see what version of the drivers you're using, on a target machine run the Print Manager utility (again, this is on the endpoint where you already use the printers.) Then, see this column to determine driver type.

The details are documented here by MVP Susan Bradley (@susanbradley): https://www.computerworld.com/article/3630629/windows-print-nightmare-continues-enterprise.html 

I’ll update this space if there’s more on this story.

Tip 2 (which didn’t work for me): Use Point and Print Restrictions to specify the GOOD servers

I mention this tip, because it really looks like it SHOULD work, but just.. Doesn’t.  Read thru it anyway, because we’ll make some lemonade out of lemons here in a minute.

Maybe this worked AFTER the July patch but stopped working AFTER the August patch but I didn’t expressly test that.

The idea would be to simply specify the GOOD servers, so the user wouldn’t be able to print to any BAD servers. Example configuration below (again, doesn’t work) which would specify the servers, but then also NOT prompt for elevation.

Microsoft’s text says:

1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

2. NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

3. UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

The result on endpoints would be something like this..

Again: This proposed workaround did not work for me, your experience might be different.

If I was asked how to solve this problem within Microsoft engineering, this is how I would have proposed to do it: Specify ONLY the good servers and make it so Standard Users couldn’t make changes from that list.

Mayyyybe Microsoft will fix the problem (again) this way, but no signs yet.

Tip 2 (From Microsoft):  “Just screw it” and let Standard Users do whatever they want anyway (NOT RECOMMENDED)

So, of course it sounds like, and would be a terrible idea to just turn off the new August 10th protection, even after you’re patched. If you wanted to do that, the advantage of course is that Standard Users could click to print on whatever servers they wanted. Which of course, would also be bad if the bad guys used this against you.

This tested out a-ok as you can see here.

Again, not a great idea, but it does work, even if the August patch is on the machine.

Tip 3: Combine (non-working) Tip 2 and (working) Tip 3 to attempt to make something (reasonably) secure

So Tip 2 where we specified the GOOD server didn’t work. And Tip 3 where we specified that non-admins could overcome this driver thing… that worked.  

I’m trying here to specify a SPECIFIC server that’s good, and therefore everything else is bad.

I’m then using the special bypass registry key to let non-admins install the drivers.

This should work, right ?

Let’s break it down.

Well, this works when 100% by itself. If I attempt to connect to some rogue server, I do get blocked. Yay.

But then when I add the bypass registry item….  It doesn’t work.. YET !

So far, this is equally bad as just letting non-admins install their own drivers.

The secret to making this work is a SECOND setting, which expresses where the “Package Point and print - Approved servers” are.

Then, I get the basic / final / good result I want:

• Non-Admins can point to good “specified” servers 

• Non-Admins cannot point to rogue servers

Even though I showed how to do this, Microsoft does go out of their way to say : “Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.”

I don’t know exactly what the differences are between the super secure admin only method and the “open the doggie door to the right people” method I just stepped though, and maybe Microsoft doesn’t want us to know. :-) 

Okay: Really, what are some OTHER SECURE workarounds?

First of all the method I showed above is only “OK” because Microsoft stated that you aren’t really in a totally secure state. The second problem with the method I showed is that you have to keep on top of your print servers all the time and update the TWO policy settings to accommodate. Maybe this is fine in a small or static environment. Or maybe this could get out of hand quickly.

Solid Workaround 1: Using PolicyPak Least Privilege Manager + Printer Helper Tool

I’m going to jump RIGHT TO THE END, and tell you what I think is the ideal solution problem, and, sorry to say, this is not a free solution. And, I’m the founder and CTO of the solution, so, maybe I’m a little biased.

But in short, here’s a video where you can use PolicyPak Least Privilege Manager to elevate the installation of printers on any server, while the person is a standard user. 

Overcome Print Nightmare Standard User UAC Prompts

Why is this the best method? 

• First, you don’t have to enable this for all users; just the users who need to do this from time to time. 

• Second, you don’t need to really be opening up admin rights everywhere; it’s just for this key case. 

• Third, it quacks like the native tool, but does require one click to get it started, instead of “Print to click.” 

• And lastly, this technique also works for installing LOCAL printers, which might also come in handy.

This also dovetails nicely into the whole “Zero Trust” model. Let only the users who need this technique get this technique. Remove local admin rights and reduce your attack surface.

Solid Workaround 2: Pre-install the drivers to the machine (somehow)

If you are able to magically pre-install the drivers into the machine’s local cache then you get a hall pass here.

You can do this in your image, or, if you already have 10,000 machines out there, you can script your way to glory.

Tip of the hat to my friends at PDQ for the inspiration for this tip. You can find their lashup here: https://www.pdq.com/blog/using-powershell-to-install-printers/

The idea I tested manually, worked awesome, as you can see here. The gist is to use PNPUtil to get the drivers pre-installed as an admin. Then the user can click on the network printer and they’re done. No prompts. It just works.

There’s another method that I found, which involves getting a machine prepped with all your drivers and backing up the driver store and preparing them as a “package.”  Printbrm.exe and PrintbrmUI.exe are the in-box utilities which do this. A good write up if you want to do this is here (https://lakeforestconsulting.com/adminprintnightmare/). You can then deploy the package using SCCM, Intune, PolicyPak or another method of your choice. 

Solid Workaround 3: Use the same printer driver as many times as you can

I found this one from here: https://community.spiceworks.com/topic/2328739-best-way-to-deploy-printnightmare-proof-printers-to-non-admin-users?page=1#entry-9250842 (Courtesy https://community.spiceworks.com/people/ethanharris). I’ll just quote him and make this easier for everyone:

“We get around it by using the same universal HP driver on our print server for all black & white printing.  Since they already have the print driver installed they get no admin prompt when they add other printers.

For each color printer we create two printers on the print server, "PrinterName" and "PrinterName-Color" with the actual driver for that printer model used on the -Color version.  It is understood by staff that anyone can add a printer to print in B&W but IT needs to enter the admin password if they need to add a printer to print in color.  This also helps to cut down on printing costs as color printing costs 10x as much as B&W on our printing contract.“

Are there Workarounds if I’m not domain joined?

Yes, Here’s the others I’m able to come up with. If you have more to add, let me know and I’ll add them here and give you credit.

Using an MDM Service + PowerShell

If you use an MDM service like Intune, then you could use the script method from the PDQ guys (see above). That’s a little more than I want to get into here, but it should get you near the goal. 

Using PolicyPak + Least Privilege Manager

I already mentioned the Least Privilege Manager and the Helper Tool; here's a link to an alternate video which shows a few more magic tricks of the Helper Tools.

https://kb.policypak.com/kb/article/889-overcome-network-card-printer-and-remove-programs-uac-prompts/ 

Using PolicyPak + Remote Work Delivery Manager

We’ve had this KB around for a while; but it works great to overcome Printnightmare. The gist is that you copy install files from, say, Dropbox, Amazon S3 or Azure storage, then script the install.

https://kb.policypak.com/kb/article/1103-how-to-deploy-a-tcp-ip-printer-using-policypak-remote-work-delivery-manager/

Using PP Scripts to Deploy Printers for Users (so they don’t have to.) 

This method is similar to the PP + REmote Work Delivery Manager Method, but could be useful if you only have PP Scripts and Triggers and not Remote Work Delivery Manager. 

Using PolicyPak Cloud + GPPRefs TCPIP Printers 

This could help some people, so I’m adding it here.

https://kb.policypak.com/kb/article/788-how-to-deploy-a-tcpip-printer-using-group-policy-preferences-in-policypak-cloud/

Final thoughts about Printnightmare

The world is heading toward Zero Trust. Which means every piece of the network needs (or should have) explicit allow rules.

We believe in this idea at PolicyPak, and can do blocking by default for regular downloads, Windows Store downloads, and even block stuff on USB sticks.

With the Printnightmare patch, they are basically saying the same thing: trust no one but your admins. But if you give someone local admin rights on the box, you’re shooting yourself in the foot.

Remove local admin rights and get to Least Privilege land (using PolicyPak Least Privilege Manager). And then give back what you need to with rules to open up specific admin-like-things to your end-users (like adding printers) as needed.

Hope this guide helps you out.

Special thanks to my two Technical Reviewers: Viktor Hedberg and Hasain Alshakarti for help with the article.

Not everyone needs to be a power user.  Some employees just need a basic computer to get the job done.  Examples include front line workers, home based users or those who access everything over a web browser.  While these users may only need the very basics, internal IT doesn’t want to skimp on security for them either.  It is for these types of situations that Microsoft began offering Windows 10 in cloud configuration.  Windows 10 Cloud Config simplifies the desktop experience for end users as well as the management experience for admins.   You can use it to configure new devices or reuse existing hardware in order to extend the life of older machines.   Because Windows 10 in cloud config is a Microsoft-recommended device configuration, you also know that it is secure.  Windows 10 Cloud Config is suited for the following types of scenarios:

• Devices that do not require complex setting configurations
• Are not dependent on any type of on-premise infrastructure
• Uses a basic set of apps that are curated by internal IT such as Microsoft Teams and Edge

To be clear, cloud config is not Windows “lite.”  It is the full Windows experience.  You deploy devices with it or assign it to existing devices using Microsoft Endpoint Manager.  From there you manage these machines just like any other MDM enrolled device.  These devices are configured with Windows 10 endpoint security settings and automatically updated through Windows Update for Business.  Admins don’t have to do a thing.  All user data is stored and redirected to OneDrive.  For this reason, Microsoft does not recommend cloud config be used for shared devices.

Cloud config can be deployed to any device running any one of the following operating systems.   

• Windows 10 Professional
• Windows 10 Enterprise
• Windows 10 Education

Cloud config requires the following licenses:

• Azure Active Directory Premium P1

• Microsoft Intune
• Microsoft Teams
• OneDrive for Business
• Windows 10 Pro (minimum)

Note that Microsoft recommends Enterprise Mobility + Security E3 and Office 365 E3.

There are two ways to deploy Windows 10 cloud config in Microsoft Endpoint Manager.  The easiest way uses the new guided scenarios feature.  Cloud config is one of the sets of customized steps that admins can use to quickly deploy devices for a given scenario.  You can also configure cloud config manually in order to deploy it using the following steps:

1. Create an Azure AD group
2. Configure device enrollment
3. Deploy a script to configure Known Folder Move and remove built-in apps
4. Deploy apps
5. Deploy endpoint security settings
6. Configure Windows Update settings
7. Deploy a Windows 10 compliance policy
8. Additional optional configurations

For this example, we are going to use guided scenario.  You will find it by going to Troubleshooting + support > Guided scenarios.  The first time you access this section you may have to click the “Got it” button as shown below.

Then choose Deploy Windows 10 in cloud configuration by clicking the Start button for that scenario.

The first step involves the naming of the devices during the Windows Autopilot enrollment process.  If you choose not to use the device name template, all devices will use the OEM name.  If you select “Yes” however, you can then create a unique pattern to name the devices.  You can use the %RAND:x% variable to include a string of random characters after Fabrikam.  The X represents the number of random characters allocated.  In the example below we are appending 4 random characters to Fabrikam.

The next step is to select the apps you want to deploy to these devices. Because Cloud Config is about keeping things simple, Microsoft recommends keeping the list of included apps to a minimum so that your cloud config devices are simple to use and manage.  By default, the guided scenario includes Edge and Teams.  As you cannot remove them when using the guided scenario, you must uninstall them at a later time if you don’t want them.  You can then select additional Microsoft 365 optional apps as is shown in the screenshot below.

Next is the Assignment phase in which you will assign the cloud config devices to a group.  Here you can either create a new group or choose an existing group as is shown below.

After you create your group and click “Next” you will be presented with a Summary showing all of your selections.  You can go back to the other tabs, and change any values you added.  Once you verify your settings then click Deploy. 

You can then watch as the resources are being created along with their status.  If there's an error, then the guided scenario isn't deployed, and all changes are reverted.  Once deployed successfully you can use the monitoring and reporting features in the Endpoint Manager.  If you want to remove any of your chosen settings, go to each policy created by the cloud config guided scenario and configure the settings to Not Configured.  Then redeploy the policies. 

In the end, cloud config is just a recommended set of configuration settings for Windows 10 for standardized deployments that are easy to manage.  While it isn’t for everyone, it is an ideal fit for specific user scenarios. 

Those who have updated to Windows 10 Build 19042.964 via Windows 10 KB 10 KB5001391 have noticed the addition of the News and Interest Feed on the Windows taskbar.  The feed is announced on the taskbar by a weather icon by default that represents nearby current sky conditions.  With a click of the mouse you can gain access to nearby weather and traffic conditions, updates on your personal stocks as well as stories on professional or personal interests.   You can customize the stories and publisher sources by clicking on “Manage Interests” at the top as shown in the screenshot below.  A web browser will then open allowing you to tune your fee.  You can also select “More options” on headlines and article in order to share or save them.

Users can also customize how the newsfeed appears on the taskbar.  By default, the weather conditions icon and temperature are shown.  By right clicking on the icon, users can modify this in the context menu as shown below.

Windows admins will understandably want to manage the appearance of this new feature.  This can be done through either Windows Group Policy or Microsoft Endpoint Manager.  In order to access the associated Group Policy you need to obtain the Feeds.admx file.  You can access it by navigating to C:\Windows\PolicyDefinitions on a machine that has the update installed.  Copy the Feeds.admx file and paste it into your group policy central store.  You will also need the Feeds.adml file as well.  Those in the U.S. will find this file in the en-US directory.  The two locations are shown below.

You must then create a computer side policy by going to Computer Configuration > Administrative Templates > Windows Components > News and interests > Enable news and interests on the taskbar.  You can then choose to enable or disable the feature.  Enabling the policy will allow News and interests on the taskbar and give users access to the applicable context menu.  This will give users the ability to turn it off if they wish.  The policy is enabled in the screenshot below.

You can also manage News and interests in Microsoft Endpoint Manager as well by creating a Configuration profile.  Select Windows 10 and later as the platform and choose Settings catalog (preview) as the profile type.  After naming the policy, select “Add settings” to access the Settings Picker as shown below.

Then do a search for “news” and select “News and interest” and enable the setting as shown below.

You can also manage News and interests via the registry.  Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\Policies\Microsoft\Windows\Windws Feeds. 

Then assign a value accordingly:

• 0 – show icon and text
• 1 – show only icon
• 2 – disabled

Of course these registry values can be deployed using Group Policy Preferences as well.  The screenshot below shows the designated registry key.