This worklet will disbable the Remote Printing capability on any Windows endpoint while still allowing local printing, which mitigates remote exploitation of CVE-2021-34527
If you would like to stop the PrintSpooler service altogether, use this Worklet: Band-Aid PrintNightmare Zero-Day Exploit on Domain Controllers
Evaluation code:
#Forces the worklet to run; alternatively, you can move the If statement below into this section to only execute on endpoints where Remote Printing is enabled.
Exit 1
Remedation code:
#Define desired registry settings:
$regPath = "HKLM:\Software\Policies\Microsoft\Windows NT"
$regKey = "Printers"
$regName = "RegisterSpoolerRemoteRpcEndPoint"
#Check whether the registry value is already present and configured and if so, do nothing:
if ((Get-ItemProperty -Path $regPath\$regKey).$regName -eq 2)
{
Write-Output "Remote Printing Service already disabled on:$gc $env:computername"
} else {
#Create the new Printers registry key:
New-Item -Path $regPath\$regKey
#Create and set the new DWORD registry entry and value to disable remote printing operations:
Set-ItemProperty $regPath\$regKey -Name $regName -Value "2" -Type Dword
Write-Output "Remote Printing Service disabled on:$gc $env:computername"
}
#
#To re-enable remote printing operations, uncomment the following line to delete the DWORD registry entry:
#Remove-ItemProperty -Path $regPath\$regKey -Name $regName
#
# Restart the Print Spooler service for changes to take effect:
Restart-Service -DisplayName 'Print Spooler' -Force