Yeah! The TL;DR is I applied a registry edit via GPO to turn off “RestrictDriverInstallationToAdministrators”. To mitigate some of the risk associated with that, I added the FQDN of our print server to “Package Point and print - Approved servers” and “Point and Print Restrictions” under Computers and Users in Group Policy, so that users can only install printer drivers from our server.
Here’s the the detailed version:
- Via Group Policy (Computer Configuration > Preferences > Windows Settings > Registry), I added the registry entry “RestrictDriverInstallationToAdministrators” to “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint” and set to 0 (DWORD).
- Enabled the following in a GPO:
- Computer Configuration > Policies > Administrative Templates > Printer > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
- Computer Configuration > Policies > Administrative Templates > Printer > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Do not show warning or elevation prompt”.]
- User Configuration > Policies > Adminstrative Templates > Control Panel > Printers > Package Point and print - Approved servers > [Enter FQDN(s) of print server(s).]
- User Configuration > Policies > Administrative Templates > Control Panel > Printers > Point and Print Restrictions > [Enable and enter FQDN(s) of print server(s). I personally set security prompts for “Show warning only”.]
- You may also want to confirm that you have “Computer Configuration > Policies > Administrative Templates > System > Driver Installation > Allow non-adminstrators to install drivers for these device setup classes” set up with {4658ee7e-f050-11d1-b6bd-00c04fa372a7} and {4d36e979-e325-11ce-bfc1-08002be10318}, which are both printer-related. But if your deployed printers were working before that update went out, then you may have already had this set!
Note: Use at your own risk