PrintNightmare - Disable Remote Printing capability

This worklet will disbable the Remote Printing capability on any Windows endpoint while still allowing local printing, which mitigates remote exploitation of CVE-2021-34527

If you would like to stop the PrintSpooler service altogether, use this Worklet: Band-Aid PrintNightmare Zero-Day Exploit on Domain Controllers

Evaluation code:

#Forces the worklet to run; alternatively, you can move the If statement below into this section to only execute on endpoints where Remote Printing is enabled.
Exit 1

Remedation code:

#Define desired registry settings:
$regPath = "HKLM:\Software\Policies\Microsoft\Windows NT"
$regKey = "Printers"
$regName = "RegisterSpoolerRemoteRpcEndPoint"

#Check whether the registry value is already present and configured and if so, do nothing:
if ((Get-ItemProperty -Path $regPath\$regKey).$regName -eq 2)
{
Write-Output "Remote Printing Service already disabled on:$gc $env:computername"
} else {

#Create the new Printers registry key:
New-Item -Path $regPath\$regKey

#Create and set the new DWORD registry entry and value to disable remote printing operations:
Set-ItemProperty $regPath\$regKey -Name $regName -Value "2" -Type Dword

Write-Output "Remote Printing Service disabled on:$gc $env:computername"
}

#
#To re-enable remote printing operations, uncomment the following line to delete the DWORD registry entry:
#Remove-ItemProperty -Path $regPath\$regKey -Name $regName
#

# Restart the Print Spooler service for changes to take effect:
Restart-Service -DisplayName 'Print Spooler' -Force
6 Likes