Forum Discussion

mramaley's avatar
mramaley
Copper Contributor
Sep 15, 2021

Unable to Print after installing 2021-09 Cumulative Update (KB5005573)

Anyone else having user print issues after installing this update on a Windows Server 2016 Standard? We can send jobs to the spooler just fine from the server itself, but a user submitted job is just...
Windows Server
isodosgr's avatar
isodosgr
Copper Contributor

Here is what worked for me & other partners in my field.

 

The spoofing vulnerability CVE-2021-1678 has been known for quite some time (in January 2021 Microsoft published something about it, see also my blog post Details of Windows NTLM vulnerability CVE-2021-1678 published). As I now read out from Benjamin Delpy above tweet, this also affects printer RPC binding and authentication for the remote Winspool interface.

Microsoft has started to address this vulnerability via security updates in January 2021 and September 2021. To do so, a new registry entry was set that administrators could use to increase or decrease the RPC authentication level.

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

When the DWORD value RpcAuthnLevelPrivacyEnabled=1  is set, Windows encrypts RPC communication with network printers or print servers. However, this security measure was rolled out in two stages via security update: :

  • Since January 12, 2021, there was a so-called deployment phase for this purpose, in which administrators set this registry value
  • With the security update of September 14, 2021, the enforcement phase was initiated, i.e. RPC encryption is active by default

The details can be found in the Microsoft support article Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464). This could explain the connection problems of clients with the Windows printer spooler in various scenarios. It is reported that printing is no longer possible after installing the September 2021 update.

This workaround could help

Instead of uninstalling the security update from September 14, 2021, users have come up with the idea of disabling the enforcement mode on the server.  

 

If I interpret the above tweet correctly, disabling the relevant settings under:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\

on the server to allow printing again. There is the DWORD value:

RpcAuthnLevelPrivacyEnabled=0

and then restart the print spooler (see this reddit.com thread and in Bleeping Computer's forum). Maybe it will help someone. 

 

mramaley 

nic-groupIT's avatar
nic-groupIT
Copper Contributor
Oct 26, 2021
Thanks for this one - had been removing updates for the last 2 months!

Resources