This worklet will disbable the Remote Printing capability on any Windows endpoint while still allowing local printing, which mitigates remote exploitation of CVE-2021-34527

If you would like to stop the PrintSpooler service altogether, use this Worklet: Band-Aid PrintNightmare Zero-Day Exploit on Domain Controllers

Evaluation code:

#Forces the worklet to run; alternatively, you can move the If statement below into this section to only execute on endpoints where Remote Printing is enabled.


Exit 1

Remedation code:

#Define desired registry settings:


$regPath = "HKLM:\Software\Policies\Microsoft\Windows NT"


$regKey = "Printers"


$regName = "RegisterSpoolerRemoteRpcEndPoint"





#Check whether the registry value is already present and configured and if so, do nothing:


if ((Get-ItemProperty -Path $regPath\$regKey).$regName -eq 2)


{


Write-Output "Remote Printing Service already disabled on:$gc $env:computername"


} else {





#Create the new Printers registry key:


New-Item -Path $regPath\$regKey





#Create and set the new DWORD registry entry and value to disable remote printing operations:


Set-ItemProperty $regPath\$regKey -Name $regName -Value "2" -Type Dword





Write-Output "Remote Printing Service disabled on:$gc $env:computername"


}





#


#To re-enable remote printing operations, uncomment the following line to delete the DWORD registry entry:


#Remove-ItemProperty -Path $regPath\$regKey -Name $regName


#





# Restart the Print Spooler service for changes to take effect:


Restart-Service -DisplayName 'Print Spooler' -Force