Security updates from September 14 against the “PrintNightmare” vulnerabilities may cause new problems. Workarounds & further measures help against this.
Since the beginning of July 2021, Microsoft has been trying to produce several products under the name “PrintNightmare” to fix summarized vulnerabilities in the Windows printer spooler service. However, the most recent patch day attempt on September 14 led to complications in some print environments, which Microsoft has since confirmed.
A uniform solution does not yet exist – but there are workarounds to solve the problem without Update uninstallations to master. Administrators should be aware that the workarounds described in this message are only short-term and temporary solutions that should later be fixed by updated printer drivers and Microsoft improvements.
“Missing” Printers and crashes
Shortly after the patch day security updates were released, several administrators of corporate environments contacted the author of this article. After the updates, they said, shared network printers (e.g. in terminal server environments) were missing on Windows clients. In other cases, users suddenly required administrative rights to install or update printer drivers. Crashes with stop errors have also been observed. Printers from different manufacturers are affected by the problems.
Some admins felt compelled to uninstall the patches in order to keep the IT infrastructure functioning – a risky undertaking since PrintNightmare vulnerabilities are now being exploited for ransomware attacks . There is not yet a uniform solution for solving the printing problems; at least some solutions and workarounds are now known.
Microsoft: Problem confirmation…
On September 17, 2021, Microsoft released Windows 10 -Status area in entry “Administrator credentials required every time apps attempt to print” acknowledged fundamental problems caused by the September 2021 updates. Windows clients from Windows 7 SP1 up to Windows 10 21H1 and Windows servers from version 2008 R2 SP1 up to Windows Server 2022 are potentially affected.
The problem description: With certain printers, the Point and Using Print, the question “Do you trust this printer?” appears in some environments after the update installation. As a result, whenever an application tries to print to a print server or a print client tries to connect to a print server, administrator rights are required to install the necessary drivers.
.. .and (conditionally helpful) recommendation for action
According to Microsoft, this behavior is caused by the fact that a printer driver on the print client and server has the same file name, but the server has a newer version of the file in question. When the print client connects to the print server, it will find a newer driver file and will be prompted to update the drivers on the print client. However, the process fails because the package offered to the client for installation does not even contain the newer file version.
Microsoft’s rather succinct solution proposal: Administrators should make sure that the latest drivers for all printers used are installed and if possible the same versions of the printer driver are used on the print client and the print server. The advice is aimed at installing printer drivers that correspond to the V4 driver model introduced with Windows 8/Server 2012 and solving the problems that are occurring. In some cases (e.g. with HP devices) it also helps to use the so-called universal printer drivers for printer control.
However, this recommendation for action has a few catches that Microsoft ignores: If the printer manufacturer does not provide newer V4 drivers , the solution to the problem fails. In addition, it may be that an administrator has to update the drivers on the affected terminal servers and print servers once before printing works again without administrator rights.Another difficulty can arise if Linux and macOS clients are also supposed to print to print servers: In mixed environments, problems with V4 printer drivers are sometimes set to V3 drivers.
Disable printer installation admin
The fact that installing the printer driver requires administrator rights was already introduced with the Windows security updates of August 2021. For this purpose, Microsoft has implemented a policy with the registry key
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint
to activate (default value) or deactivate the administrator’s obligation to install drivers for Point and Print (default value). If the DWORD value RestrictDriverInstallationToAdministrators=0 is set, a printer driver installation is again possible without administrator rights. Microsoft describes this in support article KB5005652.
For security reasons, administrators who decide to take this step should implement the measures outlined in the support article for specifying the permitted print servers via group policy. The website gruppeninstrumente.de describes corresponding group policy objects, and in a user comment on the author’s blog, an administrator describes how he has secured his printing environment accordingly. This is the only way to prevent the PrintNightmare vulnerabilities from being exploited from the Internet.
The US-CERT recommends that when RestrictDriverInstallationToAdministrators=0 is set, the policy for forcing point-and-print packets via the Enable DWORD value PackagePointAndPrintOnly=1. Details about the registry entries and the group policies are documented by gentilkiwi in this GitHub post.
Workaround for error 0x0000011b
Depending on the environment, it can After the September 2021 security update, however, it may also happen that printers can no longer be addressed at all or that an error aborts (error 0x0000011b). If this cannot be fixed by updating the driver, there is only a second workaround, which is associated with a certain security risk.
The background to the error is a change made with the September 2021 security updates to close the spoofing vulnerability CVE-2021-1678. In January 2021, in connection with this vulnerability, a security update introduced the possibility of using a new authentication for Printer-RPC binding. Since then, administrators have been able to use a policy and a new registry key to specify whether this authentication is used for the Printer-RPC binding.
In January 2021, the settings for the RpcAuthnLevelPrivacyEnabled registry value were still set to “inactive” set to give administrators time to convert. With the September update, the policy has now been enforced and as a result some printer drivers can no longer connect to print servers and may fail with stop error 0x0000011b. If updating the printer driver does not resolve this error in the short term, administrators can set the 32-bit DWORD value RpcAuthnLevelPrivacyEnabled=0 in the registry key
HKEY_LOCAL_MACHINESystemCurrentControlSetControlPrint
. The printer spooler must then be restarted. The changed value breaks enforcement mode, but again makes the environment vulnerable to the spoofing vulnerability. Multiple feedbacks from admins to the author of this post have confirmed that this workaround helped. Those who choose to do so should be aware of the potential $(LEhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1678:CVE-2021-1678 vulnerabilities.
