Print server and Print Nightmare update

Question

Hi All,

I'm having issues with some Print Servers after running Windows Updates and installed

2021-08 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5005030)

After the update installation I'm getting the error "Connect to printer Windows cannot connect to the printer. Operation failed with error 0x0000011b" and the printer fails to install.

Is there any workaround to keep Print Severs up and running?

I cannot permanently remove the August update, because the Print Nightmare update will come again in Sept Cummulative Update.

I also tried to revert the configurations using:
* “Allow Print Spooler to accept client connections” policy
* HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.

Nothing worked. I will appreciate any advice.

Thanks,

Manuel

Answer 1

UPDATE #4: I have heard rumor that a fix is supposed to be released on Tuesday for this issue. I hope that is the case.

After the update, we were having an issue where long established installed printers al of a sudden said they needed driver updates. Nothing had changed printer-wise, only the installation of KB5005031 & KB5005033. Users were being prompted to install the driver update, and it looked like it was installing, but at the very end would fail with an error code of 0x0000011b or 0x00000bbb. Implementing the PointAndPrint workaround from Microsoft didn't fix the issue for us.

Found a solution on Reddit; BRAVO to who figured this out. This uses the registry setting that negates the patch, which allows Windows to update the printer drivers, and then flips the switch back to enable the new protection. We are not sure how the patch is going to affect us with new employees and new machines, but at least we can get people printing again.

This is the part of the fix that we used: (REQUIRED a REBOOT to fully work)

How do yall manage the issues presented with the latest PrintNightmare mitigation patch? (KB5005033) : sysadmin (reddit.com)

https://www.reddit.com/r/sysadmin/comments/p5ccov/how_do_yall_manage_the_issues_presented_with_the/

Here are the steps required to deploy printers and print drivers via GPO, while still following Microsoft's recommended practices.
Note that not all of these steps may be necessary, but these are the changes I made in our environment to get this working again. Feel free to correct me if I've made a mistake.
The Microsoft article is here

1. In your GPO navigate to User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0
2. In your GPO navigate to User > preferences > Control Panel > Scheduled Tasks > New Immediate task Windows 7 or later
   Set the task to run as SYSTEM. Action = Start a program
   program is cmd
   Argument is

/c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

What this does is temporarily set the registry key to 0 to allow the printer drivers to be installed, then the immediate task runs immediately after GPOs are applied and sets the registry key back to 1. These settings align with Microsoft's support article that states:
If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers: Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.

UPDATE #1: We had a user that this didn't work for, but it did work for other users in the office. Not sure if maybe the switch flip was too fast for Windows to download the updated drivers. I say this because I used a more manual method to grant the admin level access. Made the user a member of the local Administrators group. Had user sign out and sign back in to make Admin level access active. Checked the printers to see if they were showing Needed Update or not. One was showing update but the other 4 were now showing as Ready. Within a few moments, that last printer showed as Ready. Removed user from Local Administrators group, and signed them out. That delay is why I wonder if maybe the above solution was to fast for this machine or maybe the network drop wiring or whatever.

UPDATE #2: This solution only works for printers already showing as installed in Windows. Not that I fully understand how printing works in Windows, but we have users that have been using printers for years and showed as a printer they could pick, but now the printer doesn't show installed. That requires a local admin level to install.

UPDATE #3: Had a user where we are using this GPO that had her printers go back to a a Need Update state. Ended up doing the make user local admin, login, issues fixes itself, remove from local admin, logout and log back in.

Answer 2

Hi, not sure if this method is already out there? I work in a college and this printer problem has caused absolute chaos for us.

Tried this and it works (Windows 10)

1. Click Start > Control Panel - Devices and Printers.
2. Click Add a Printer
3. Select The Printer that I want isn’t listed
4. Select Add a local printer or network printer with manual settings.
5. Select Create a new port, select Local Port for the Port Type, and click Next.
6. For Port Name, enter \SERVER\PRINTER_Name
7. Select the printer driver (should already be installed - if was mapped previously via GPO)
8. Follow the rest of the wizard.

For our technicians, we also use PDQ Deploy, this is our PowerShell script - (Konica Universal Driver)

pnputil.exe /a "\SERVER\KONICA_UNIVERSAL_3100\DRIVER\win_x64\KOBS2J__.inf"
Add-PrinterDriver -Name "Konica Minolta Universal PCL v3.1" -InfPath "C:\Windows\System32\DriverStore\FileRepository\C:\Windows\System32\DriverStore\FileRepository\kobs2j__.inf_amd64_1b513fbff74c1b8b\KOBS2J__.inf"
Add-PrinterPort -Name "PrintQueue Local" -PrinterHostAddress "\SERVER\PrintQueue"
Add-Printer -DriverName "Konica Minolta Universal PCL v3.1" -Name "PrintQueue Local" -PortName "\SERVER\PrintQueue"

Answer 3

Hello,

As for the problem which a lot are facing around printing after September MS patching ("Access Denied", "0x0000011b"), please look into CVE-2021-1678:
https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

Initially the patch has been deployed in January but September patching brought "enforcement" of the security change (which may lead to issues).

A workaround (though not a secure one) is to add a registry entry on the print server (and restart the Spooler):
Key: HKLM\SYSTEM\CurrentControlSet\Control\Print
Value: RpcAuthnLevelPrivacyEnabled
Value data: 0 (DWORD)

Regards

Answer 4

Same problem here with a printer shared on local network. Tried everything here I think and it still doesnt work.
PC1 has the printer connected to it and sharing.
PC2 after I tried removing the borked one can no longer install it with error 0x11b.
PC2 can see the other machine just fine and browse the shared files as well.
Both have admin accounts and the update KB5005565, what the hell?
UPDATE1: Even after adding it manually with local port and assigning driver it still doesnt work.
UPDATE2: Soo yeah uninstalling update KB5005565 on our 70~ or so machines worked like a champ. Thanks Microsoft.
Have to deal with the consequences still today as well zzzzz

Answer 5

Hello, Guys,
can you pls somebody help me. I have this problem in small company (after update KB5005565) where is printer shared between users on workstations. I cant this update remove, it can´t. I try this.
I make list of packages with: dism /online /get-packages /format:table then select afected update for remove command dism /online /remove-package /packagename: etc
But this fail with error 0x800f0905
Actually i cant print a not found any solutions for this :-(
Manny thanks. Marek