Print server and Print Nightmare update

Manuel Galdamez 116 Reputation points
2021-08-17T16:16:05.733+00:00

Hi All,

I'm having issues with some Print Servers after running Windows Updates and installed

2021-08 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5005030)

After the update installation I'm getting the error "Connect to printer Windows cannot connect to the printer. Operation failed with error 0x0000011b" and the printer fails to install.

Is there any workaround to keep Print Severs up and running?

I cannot permanently remove the August update, because the Print Nightmare update will come again in Sept Cummulative Update.

I also tried to revert the configurations using:
* “Allow Print Spooler to accept client connections” policy
* HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.

Nothing worked. I will appreciate any advice.

Thanks,

Manuel

Windows Server Printing
Windows Server Printing
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Printing: Printer centralized deployment and management, scan and fax resources management, and document services
499 questions
{count} votes

54 answers

Sort by: Most helpful
  1. Mark K 61 Reputation points
    2021-08-17T22:53:00.48+00:00

    UPDATE #4: I have heard rumor that a fix is supposed to be released on Tuesday for this issue. I hope that is the case.

    After the update, we were having an issue where long established installed printers al of a sudden said they needed driver updates. Nothing had changed printer-wise, only the installation of KB5005031 & KB5005033. Users were being prompted to install the driver update, and it looked like it was installing, but at the very end would fail with an error code of 0x0000011b or 0x00000bbb. Implementing the PointAndPrint workaround from Microsoft didn't fix the issue for us.

    Found a solution on Reddit; BRAVO to who figured this out. This uses the registry setting that negates the patch, which allows Windows to update the printer drivers, and then flips the switch back to enable the new protection. We are not sure how the patch is going to affect us with new employees and new machines, but at least we can get people printing again.

    This is the part of the fix that we used: (REQUIRED a REBOOT to fully work)

    How do yall manage the issues presented with the latest PrintNightmare mitigation patch? (KB5005033) : sysadmin (reddit.com)

    https://www.reddit.com/r/sysadmin/comments/p5ccov/how_do_yall_manage_the_issues_presented_with_the/

    Here are the steps required to deploy printers and print drivers via GPO, while still following Microsoft's recommended practices.
    Note that not all of these steps may be necessary, but these are the changes I made in our environment to get this working again. Feel free to correct me if I've made a mistake.
    The Microsoft article is here

    1. In your GPO navigate to User > Preferences > Registry and add the new registry key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" RestrictDriverInstallationToAdministrators as a DWORD value of 0
    2. In your GPO navigate to User > preferences > Control Panel > Scheduled Tasks > New Immediate task Windows 7 or later
      Set the task to run as SYSTEM. Action = Start a program
      program is cmd
      Argument is

    /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

    What this does is temporarily set the registry key to 0 to allow the printer drivers to be installed, then the immediate task runs immediately after GPOs are applied and sets the registry key back to 1. These settings align with Microsoft's support article that states:
    If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers: Temporarily set RestrictDriverInstallationToAdministrators to 0 to install printer drivers.

    UPDATE #1: We had a user that this didn't work for, but it did work for other users in the office. Not sure if maybe the switch flip was too fast for Windows to download the updated drivers. I say this because I used a more manual method to grant the admin level access. Made the user a member of the local Administrators group. Had user sign out and sign back in to make Admin level access active. Checked the printers to see if they were showing Needed Update or not. One was showing update but the other 4 were now showing as Ready. Within a few moments, that last printer showed as Ready. Removed user from Local Administrators group, and signed them out. That delay is why I wonder if maybe the above solution was to fast for this machine or maybe the network drop wiring or whatever.

    UPDATE #2: This solution only works for printers already showing as installed in Windows. Not that I fully understand how printing works in Windows, but we have users that have been using printers for years and showed as a printer they could pick, but now the printer doesn't show installed. That requires a local admin level to install.

    UPDATE #3: Had a user where we are using this GPO that had her printers go back to a a Need Update state. Ended up doing the make user local admin, login, issues fixes itself, remove from local admin, logout and log back in.


  2. Darren Whitehead 16 Reputation points
    2021-09-23T10:16:58.143+00:00

    Hi, not sure if this method is already out there? I work in a college and this printer problem has caused absolute chaos for us.

    Tried this and it works (Windows 10)

    1. Click Start > Control Panel - Devices and Printers.
    2. Click Add a Printer
    3. Select The Printer that I want isn’t listed
    4. Select Add a local printer or network printer with manual settings.
    5. Select Create a new port, select Local Port for the Port Type, and click Next.
    6. For Port Name, enter \SERVER\PRINTER_Name
    7. Select the printer driver (should already be installed - if was mapped previously via GPO)
    8. Follow the rest of the wizard.

    For our technicians, we also use PDQ Deploy, this is our PowerShell script - (Konica Universal Driver)

    pnputil.exe /a "\SERVER\KONICA_UNIVERSAL_3100\DRIVER\win_x64\KOBS2J__.inf"
    Add-PrinterDriver -Name "Konica Minolta Universal PCL v3.1" -InfPath "C:\Windows\System32\DriverStore\FileRepository\C:\Windows\System32\DriverStore\FileRepository\kobs2j__.inf_amd64_1b513fbff74c1b8b\KOBS2J__.inf"
    Add-PrinterPort -Name "PrintQueue Local" -PrinterHostAddress "\SERVER\PrintQueue"
    Add-Printer -DriverName "Konica Minolta Universal PCL v3.1" -Name "PrintQueue Local" -PortName "\SERVER\PrintQueue"


  3. Greg O 11 Reputation points
    2021-09-17T14:41:49.047+00:00

    Hello,

    As for the problem which a lot are facing around printing after September MS patching ("Access Denied", "0x0000011b"), please look into CVE-2021-1678:
    https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

    Initially the patch has been deployed in January but September patching brought "enforcement" of the security change (which may lead to issues).

    A workaround (though not a secure one) is to add a registry entry on the print server (and restart the Spooler):
    Key: HKLM\SYSTEM\CurrentControlSet\Control\Print
    Value: RpcAuthnLevelPrivacyEnabled
    Value data: 0 (DWORD)

    Regards


  4. Enju Anasenko 6 Reputation points
    2021-09-15T09:51:41.45+00:00

    Same problem here with a printer shared on local network. Tried everything here I think and it still doesnt work.
    PC1 has the printer connected to it and sharing.
    PC2 after I tried removing the borked one can no longer install it with error 0x11b.
    PC2 can see the other machine just fine and browse the shared files as well.
    Both have admin accounts and the update KB5005565, what the hell?
    UPDATE1: Even after adding it manually with local port and assigning driver it still doesnt work.
    UPDATE2: Soo yeah uninstalling update KB5005565 on our 70~ or so machines worked like a champ. Thanks Microsoft.
    Have to deal with the consequences still today as well zzzzz


  5. Marek Sedláček 6 Reputation points
    2021-09-16T08:27:58.057+00:00

    Hello, Guys,
    can you pls somebody help me. I have this problem in small company (after update KB5005565) where is printer shared between users on workstations. I cant this update remove, it can´t. I try this.
    I make list of packages with: dism /online /get-packages /format:table then select afected update for remove command dism /online /remove-package /packagename: etc
    But this fail with error 0x800f0905
    Actually i cant print a not found any solutions for this :-(
    Manny thanks. Marek


  6. Alan Morris 926 Reputation points
    2021-09-16T21:33:13.127+00:00

    @Joakim c
    I am not expecting Microsoft to be patching Windows 7 with the updated protocol methods but I could be wrong.

    Add the Windows LPD service to the print server

    On the Windows 7 client systems create a local printer using a Standard TCP/IP targeting the IP or hostname of the print server.
    132727-image.png

    The print system issues an SNMP call which will fail to the LPD service on the print server. You will land on this page. Be patient, 60 to 60 seconds. Select Custom
    132857-image.png

    Configure the port as LPR. The Queue Name is the printers Share name. Make it easy on yourself and do NOT have spaces in the share name. You must select LPR Byte Counting Enabled.

    132883-image.png

    Finish adding the printer with the proper driver. When you send the test page, you will see the job owner as "USER (IP of client system)

    This solution should completely bypass the update from yesterday.

    No comments

  7. Dan Campbell 1 Reputation point
    2021-08-17T18:21:44.513+00:00

    Manuel,

    We recently experienced this in our environment but have yet to pinpoint the update that might have caused this. Current fix for us is running the below command in elevated command prompt as administrator account on the impacted machine :

    "reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f"

    My assumption is that a Windows update changed the way that Windows is handling print jobs and is looking at the registry to see if this key exists. If it does not exist it will not allow non admin accounts to install the driver. If it does exist, it must be set to 0 and not 1 for non admins to install.

    Let me know how it goes.

    Dan

    No comments

  8. Bill V 6 Reputation points
    2021-08-17T22:59:27.353+00:00

    I'm seeing this same behavior Mark, as are a lot of folks. With the patch installed I can't installed a printer from a print server even with local admin privileges via GUI or command line. I don't want to disable the protections provided by this patch but it's my only viable option at this point. I wonder if the users will be prompted for credentials more than once if you use the scheduled task workaround.

    Microsoft, please provide a more workable solution to this vulnerability.


  9. frup 1 Reputation point
    2021-08-19T12:46:53.09+00:00

    We had the problem too and could solve it. We had to use a combination of all mentioned solutions + some parts of: kb5005652

    We had to create a GPO with:

    1. Reg-Key: "RestrictDriverInstallationToAdministrators" = 0
    2. Package Point and PrintApproved servers just list all your printservers (See KB5005652 at the End of the Article) and
    3. Point and Print Restrictions:
      • Users can only point and print to these servers (not checked)
      • Users can only point and print to machines in their forest (checked)
      • When installing drivers for a new connection: Show warning and elevation prompt
      • When updating drivers for an existing connection: Show warning and elevation prompt

    I know the Part 3 does not really match to the other settings but it was just a quick and dirty solution. At the moment the users can print. Please Reply if you have any similar experience.

    BTW: I really don't know if this breaks the PrinterNightmare fix. But our >3.000 customers hat to print again...

    kind regards

    No comments

  10. sung han 1 Reputation point
    2021-08-20T14:16:41.797+00:00

    I am not the only. lol.
    I just screwed my print server, had to roll back the update. is the registry addition MS' official's?

    No comments