question

OESTech-2221 avatar image
0 Votes"
OESTech-2221 asked AlexKraghJensen-2088 answered

how to fix September 2021 cumulative patch network printing

I've got a Windows 2016 print server. It hosts some Xerox copiers, older HP Laserjet printers using native drivers, and new HP Laserjet printers using the HP universal driver.

The clients are a mixture of Windows 10 and MacOS Big sur.

I installed the September cumulative quality update and many of our users are unable to print. All of the MacOS users for sure and they are the majority of users. I had to uninstall the patch (KB5005573 and KB5006669) to allow printing to resume.

So I'm not sure where to go from here. I found many articles talking about registry hacks to bypass the changes, but they have not worked on my test print server.

I tried:
HKLM\software\policy\microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators=0
and
HKLM\software\policy\microsoft\Windows NT\Printers\CopyFilesPolicy=1

  1. if someone could help me with the correct registry changes to remove the new changes and allow the Print nightmare vulnerability, that would be a start.

  2. But then at some point I need to fix the server so we can do network printing in a secure way. I haven't really seen anything about this. I looked at the Xerox site and the newest Color C70 driver for Windows is from 2016? So what do I do?

Help

windows-server-2016windows-server-print
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

Hi,

For Windows only environments, make sure ALL Windows systems have the same patched version. Windows 7 will not get this protocol version update.

For mixed environments, Win7 and or Macs, adding the registry key to disable the new default is the way to go.
https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\RpcAuthnLevelPrivacyEnabled with a value of 0

Please read the MS article on this protocol change.

It's designed to prevent non Windows connections for printing.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OESTech-2221 avatar image
0 Votes"
OESTech-2221 answered

YES! that worked on my test server. I applied that registry change you suggested from the article and my Mac can now print.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexKraghJensen-2088 avatar image
0 Votes"
AlexKraghJensen-2088 answered

I also applied that registry change, but it doesn't works on macOS Big Sur but on Windows
Any ideas ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.