(breaking news, updating the post as links become available)
Microsoft has been battling a set of vulnerabilities to the way it handles printer drivers for the last couple of months, releasing a series of patches that haven't really fixed the issues. Now, in an unusual move, the company has just announced as part of its Patch Tuesday updates, that it's going to require users to have Administrator privileges to add or update printers for use by Windows. The company detailed the change in a post on the Microsoft Security Response Center blog:
Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks.
Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.
For most individual Windows users, the change will mean having to click on some prompts to gain elevated privileges in order to add or update printers, but it may be more troublesome for enterprise scenarios where users run in Standard mode without access to Admin privileges. Now, an administrator will have to handle any changes to printer drivers. Printer manufacturers are going to have to revamp their instructions for how to install printers. The vulnerabilities have made things a bit more difficult, for sure, but as the post says, "we strongly believe that the security risk justifies this change."
Microsoft goes on to say that, while not recommended, the behavior can be turned off with a registry change.
Microsoft has (finally) posted the changelog for KB5005033, the latest Patch Tuesday update. Aside from the bombshell PrintNightmare changes, there's not much new this month aside from a servicing stack update that makes quality improvements to the component that installs Windows Updates.
Check Windows Update to get the latest Patch Tuesday updates for your version of Windows.