Print server and Print Nightmare update

Question

Hi All,

I'm having issues with some Print Servers after running Windows Updates and installed

2021-08 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5005030)

After the update installation I'm getting the error "Connect to printer Windows cannot connect to the printer. Operation failed with error 0x0000011b" and the printer fails to install.

Is there any workaround to keep Print Severs up and running?

I cannot permanently remove the August update, because the Print Nightmare update will come again in Sept Cummulative Update.

I also tried to revert the configurations using:
* “Allow Print Spooler to accept client connections” policy
* HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.

Nothing worked. I will appreciate any advice.

Thanks,

Manuel

Answer 1

Hello,

I solved this problem by allowing the traffic TCP-49152-65535 (high ports) from users workstations towards our domain controller. I did noticed that before this update this traffic was dropped on firewall but had no impact on printing. It seems that after this update this traffic needs to pass trough.

Answer 2

Hi,
I am bit confuse on where should we setup the registry keys!!
To patch our print server correctly, should we install the KB5005613 on our print server 2012R2 and make sure also KB5005565 is installed on all of Win 10 clients? is this enough? I did check one of the Win 10 machines with KB5005565 and it don't have Print key registry key at all! On the Print server with KB5005613 also don't have the registry keys too!!

Thanks

Answer 3

If you really want really answers for this issue:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Read also
https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-ch[…]e-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

After the later link enforcement with septermber updates all MAC-, Linux- and windows-clients printing ability was disabled.
When client tries to communicate unsufficient authentication method the server responsed access denied with unproper error message.
There might be a firewall configurations to prevent proper communications in environments where only 445/TCP is enabled, some organizations doesn't like to approve unintended high ports communications with TCP nor UDP.
MS has now triggered something that no-one was prepared to deal with and haven't shared enought documentation how to properly configure these services to communicate how they want them to communicate

When only 445/TCP open, it is not enough ?
Should we open the high ports, is there any answer? which TCP or UDP to establish the correct communication?
IIn documentations of printing services there is ability to configure your print server to communicate only with 445/TCP, but this breaks now with the newest security update...
So you should enable high ports 49152-49158 tcp ???
Do we need to enable those documented udp ports also with 445 only enabled servers? that have the registry tweak to support non udp communications?

My first link to set server registry value to 0, that is not recommended does get everything working again... But my concern is how to get also all MAC- and Linux-environments to work with this value 1 also? Even we get from MS instructions to update drivers and contact your vendor about the situation... even we get fixed drivers to MS environment how about the other os that should print thru this same share?

Answer 4

I see that there is a registry override for this

---

Registry subkey

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

Value

RpcAuthnLevelPrivacyEnabled

Data type

REG_DWORD

Data

1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.

0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.

---

I made the registry change on my Print Server (Server 2016) and was wondering if I need to do the same on all my clients?

I know this is not recommended but there seems to be no good information on how an organization that has been using a Windows Print server for years can migrate to a solution that is more secure. If someone knows of some good step by step instruction that can guide people to deploying printers to clients in a more secure way I am all for it. Preferably something that does not require confusing scripts and PowerShell.

Answer 5

After installing the KB5005613 patch on the WINDOWS 2012 R2 print server, the solution applied for the W10 works fine, but not if it is applied on the W7 (a pop-up window appears with the error 0x0000011b).

That is to add the value of the registry
"reg add" HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ Printers \ PointAndPrint "/ v RestrictDriverInstallationToAdministrators / t REG_DWORD / d 0 / f"

and to modify the gpo for "Point and Print Restrictions".

Is there anything else to do for the W7 (Professional)?

Thanks