This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Dears,
the latest Windows updates is causing a lot of problems with network printers mapped on a print server.
Reference:
KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)
Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)
The two recent patches (KB5004945, KB5004760, or KB5003690) causes these two main problems:
2) unable to use the print server with the new registry key RpcAuthnLevelPrivacyEnabled
The system logs reports this error: 0x0000011b
The two workarounds that you have to apply to survive and allow corporate users to be able to use the print server are:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 0
2) Apply this registry key to disable the new default settings related to the print spooler vulnerabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print
RpcAuthnLevelPrivacyEnabled = 0
The above workarounds are only a temporary solution to survive and allow users to print.
What is unclear to me is what should be the right way to manage these settings in a corporate environment without any end user interaction.
So, if I want to be protected and apply the recent security fixes without asking the end users to do something, what should I do?
Microsoft states that you need to set "RpcAuthnLevelPrivacyEnabled" to "1" on both Client and Print Server in order to be protected, but if you do this, you can't print.
So, what should we do in a Corporate environment to be secure and print without any end user interaction about "driver installation" etc.?
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 48%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVF%3C/text%3E%3C/svg%3E)
Had a problem with printer with job abord: Failure in UIO create address from IP Address. Computer is running windows 11 now after upgrate and the HP Laserjet printer model P2015d will not print. Contact HP and they comfirmed that this printer which is older model is not support/operate with windows 11. Purchase a brother laserJet printer for $159 and printing is OK. No more printing issues.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I would like to know the answer to this as well.
The only way that I have been able to print from a client computer is to set RpcAuthnLevelPrivacyEnabled = 0 on the server. This allows me to install the printer from the server.
RpcAuthnLevelPrivacyEnabled setting on the client's computer has no effect.
I have also attempted to enable Point and Print Restrictions to limit the client computers to specific servers, but it has no effect on the machines. I can still download printers from any server. I'm not sure what I am missing to make that GPO configuration work.
Does anyone have any ideas or suggestions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 26%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hi
I found a solution at least in my environment. That is, the user name in the client computer must exist in the server side, and also must have a passworwd assigned. Thats solve de issue. Remember, today the security is a must!
I hope this be helpfull for you too.
Hi Norbert ,It looks like you are not using the Windows Standard TCP/IP port, is there a specific reason for this? I am guessing the port monitor is some HP code. To be fair, Windows Standard TCP/IP port was ffrom HP, they licensed it to Microsoft in 1997 to be included in Windows 2000. Switch the port first. I don't expect this UI.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
is there a fix for a corporate environment ?
we have had the same issue - but it seems we need to change the key back n forth just to get the printer installed.
there has to be a fix without adding users security to the printer itself.
thank you
The only thing that I have found that works is to set RpcAuthnLevelPrivacyEnabled = 0 on the print server found here HKLM\SYSTEM\CurrentControlSet\Control\Print.
From my testing, it appears that this option tells the connecting computer to use Administrative Credentials. I do not see how this would be a fix to the PrintNightmare vulnerability because the connecting computer could still add a printer from another print server that is compromised.
We still run into the issue that unsigned drivers require administrator privileges to install or update the driver. Luckily, we do not have many printers that are using unsigned drivers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 66%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
so far in my environment the only thing that has been able to halfway-work was to uninstall from the client PC the (KB5006670) security update. im now able to open my print server via \printservername and manually map a printer on the client PC. Before the removal i was unable to map as i was getting the strange 0000007c error.
so far testing on 2 printers the client normally is able to print fine but one. The problematic printer is a HP laserjet 700 m712 and when i print anything to it i now get a message that says : ****JOB ABORTED: Failure in UIO CreateAddressFromIPAddress**** and fails to print.
Im really scratching my head on this one.
I guess what i would like to know like everyone here is how to keep the update and not break the printing process. if there is a new method to deploy printers i would like to know. is there anybody out there!! sorry for the dramatics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 89%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
JorgeHernandez-7004, did you have any luck with the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error? We're now getting the same thing and have no idea why it has started!
We are also getting the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error.
Anyone have any luck fixing this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 12%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Saw the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error on a HP printer that was using the latest HP Universal Print Driver v7.0.1. but changed it to v7.0.0 and don't see the issue anymore. Could it be driver related?
This is how we found to fix it using the latest drivers.
Deleted the print share and recreated it on the server using the new driver (instead of just updating to the new driver).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 14.000000000000002%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXS%3C/text%3E%3C/svg%3E)
We are also starting to have this issue.
We just updated from the HP Universal Drivers (6.8.0 PCL6 and PS) to 7.0.1 and we started having this problem (Failure in UIO CreateAddressFromIPAddress) and also some printers had a certificate error.
Anyone find a solution? We have just rolled back to 6.8.0 and everything is working fine again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 72%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
I opened a ticket with HP on this and they basically did a google search for the Failure in UIO error message and pointed me to this thread as the solution. So HP isnt taking this terribly seriously. Im not saying the issue with the driver isn't a Printnightmare issue but its pretty telling that older versions of HPs driver work fine on a server supposedly affected by Printnightmare but their newer driver does not. In addition to seeing some certificate errors from time to time, I also encounters some printers asking me to put a PIN or password on my print job in order to send it to the printer. It all strikes me as some kind of garbled communication between print server and printer and the driver interprets that in random ways, thus we get certificate errors, communication errors, encryption requests, etc. As was mentioned, we also found that deleting the printers and recreating them works. Usually. I have successfully redone most of my printers with the new driver and they are currently working but one print server will still not work with the new driver regardless of what I do. Its all very frustrating.
PS: One interesting thing I have found is that LaserJet Pro M404 models seem to be unaffected by this. They seem to work with the newer driver without requiring the printer to be deleted and then recreated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 43%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
I was also having this issue, and I switch my HP UPD to 7.0.0 and that seemed to resolve it for me as well, so thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 59%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi JorgeHernandez-7004. The "Job Aborted" appears to be a know issue in the HP UPD version 7.0.1 documented in the release notes, which you can find here:
http://h10032.www1.hp.com/ctg/Manual/c03635717.pdf
According to the release notes HP is investigating the issue, and it offers some workarounds. If you have the possibility of going back to a previous version of the UPD that would resolve your issue in the meantime.
The new Windows default for Point an Print connections to shared printers is admin rights.
You can work through this with the registry setting on the client system.
The "RpcAuthnLevelPrivacyEnabled" set to 1 prevents the client systems, and the print server, from connecting to Linux machines pretending to be Windows print servers. Do you have Linux in your environment where you may have concerns?
To work through no administrative requirements for connections to Windows shared printers, then you can use a print driver on the server which is never downloaded to the client system. These drivers are known as Type 4 print drivers. You can find these on Windows update and from printer vendors. Type 4 print drivers have existed for nine years. More than 10 if you used Windows 8 in preview versions.
Since there is no software copied making the printer connection, then the attack service is gone.
There are group policies to specifically provide access to only print servers you control and if you manage all the Windows clients I also suggest closing down the remote spooler RPC endpoint on the client systems. Disable the Computer policy which Allow clients to connect to spooler . If the client is actually sharing a printer, the RPC endpoint is open but how many Windows clients are sharing a printer in your organization?
If you obtain your Type 4 drivers from Windows Update or if you are running 2012R2 you can use the drivers provided with the operating system. The client can get the driver from WU if a Type 4 driver is up there.
Admin rights for printer connection when software is downloaded from the server. It's the new world of Windows and it will not be changing.
Thanks