VMware Horizon Community
nwctim
Contributor
Contributor
Jump to solution

Windows Update KB5005030 Breaking DEM

Has anyone else had issues with Windows KB5005030 breaking DEM 10.3 components? Seems to have broken "Printer Mapping" and "Shortcuts". Appears that "Folder Redirection" is still working. If I uninstall this KB the printer mappings appear to be fixed, but still no shortcuts.

Thanks for any input.

Tim

Reply
0 Kudos
1 Solution
10 Replies
anil_agarwal
VMware Employee
VMware Employee
Jump to solution

@nwctim can you confirm whether printer driver is installed in the base image. 

Reply
0 Kudos
nwctim
Contributor
Contributor
Jump to solution

Not all drivers are installed on base image. Many are Canon copiers, various models.

I have tested with this scenario that if you manually add the printer through Control Panel; it prompts the user to accept the driver installation. We've had this in the past but it was related to the print server having the driver not "Packaged"; if they weren't then the user was prompted. This is not true in this case, all of the drivers are in a "Packaged" state.

I have verified that it is this KB that breaks the printers; I uninstalled on a users machine yesterday that was having printer issues, and as soon as it was gone the printers came down again (all of them, all different models).

Thanks for your input.

Reply
0 Kudos
nwctim
Contributor
Contributor
Jump to solution

The registry entry seems to have worked for the printers; testing with a few more users. Will update this thread with final results.

Thanks BenTrojahn


!

Reply
0 Kudos
BenTrojahn
Enthusiast
Enthusiast
Jump to solution

I would strongly recommend getting the required drivers into the image ASAP and not allow point and print driver installation as MS intended (this month ;-/).  I'm sure there will be more spooler 'fixes' in the near future.   I would also set the following Printer GPOs immediately

Package Point and print - Approved servers

Point and Print Restrictions

Allow Print Spooler to accept client connections

 

YMMV

 
Reply
0 Kudos
anil_agarwal
VMware Employee
VMware Employee
Jump to solution

@nwctim Yes. please have printer drivers installed in the base image. From DEM perspective, this is the recommendation for printer mapping to work smoothly. 

Reply
0 Kudos
VentziP
Enthusiast
Enthusiast
Jump to solution

We have the same issue with the Printer mappings. I have all the drives on the base image, but the problem after that KB is that it prevents a none local admin users to get the printer mapped. Basically the machine stuck on Applying WMware Dynamic Environment Manager policy screen. The only option is to recover the machine thru View Admin console. 

I adjusted the suggested GPO 's for Point and Print but still no luck.

If I use the Registry to allow none admin users and it is back to normal, but that is not recommended. 

Is there any option to map the printers with Elevated option thru DEM Printer Mappings? 

Reply
0 Kudos
anil_agarwal
VMware Employee
VMware Employee
Jump to solution

@VentziP These are admin configured printer mappings that run in user context. These printers are mapped during user logon. Can you please point me to the Microsoft recommendation that states otherwise.

Reply
0 Kudos
VentziP
Enthusiast
Enthusiast
Jump to solution

@anil_agarwal That is correct, but after that patch they are not mapping because our users are not local admins. I'm not sure what do you mean to point to Microsoft recommendation. According to them there is a registry to allow none admin users to install the printers, but they don't recommended to use that in a long term only temporary. 

VentziP_0-1630070737724.png

KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481) (microsof...

I tried as well with disabling Point and Print completely thru GPO, but still the same.

So I was more thinking  if there is a option to push these printers as a elevated task during the logon. I don't see a option in Privilege Elevation to link to Printer Mapping object in DEM Manager.    If you have any other idea I'm happy to try it as well.

Reply
0 Kudos
CTRIM
Enthusiast
Enthusiast
Jump to solution

We are still seeking a solution for this too. Microsoft just breaking it as a solution for them to just walk away is not a solution. It prevents the exploit but it also prevents legitimate use as well.

 

It might be easier at this point to go paperless. /s

Reply
0 Kudos