question

This just hit us this morning too. 9/15/2021. No one can print to the network printers.
I removed KB5005613 from our server and rebooted the server and that fixed it. Had to do that at all 8 of our branch offices too.
Microsoft updates seem to be more like hackers. Not professional.

I've got a good one Microsoft may not actually be devising a fix for this but...
Got the above error with a twist. We don't use PointandPrint... All our (I say "all" when things are running smoothly) printers are published using GPO's to targeted computers, not users. Every computer is named in such a way we can identify groups of computers based on location, department and OS. When a new computer is joined to the domain, the computer is added to several groups. One of the groups they are added to are used for multiple policies. The policies are designed to publish as few as one to as many as a dozen printers to that computer. So there's no user interaction when installing a printer. RestrictDriverInstallationToAdministrators - 0 is being used on a case by case basis for people who absolutely must print to keep our business running. Corporate is going to be some pissed with the AD guy because he can't get printers to deploy any more. Not a fun place to be. Never have I seen something like this before. Oh, there's been inconveniences but never a total blockage. I spun up a new 2019 server and started building V4 ONLY queues with still no joy. This is the crap suicides are made of.

Today, 16 September 2021, I got the same problem, cannot print to printer on the server. Fortunately, I read this article and then I can assume what was happen to me, is caused by BAD Windows update. Then, I check Updates history, and find one update installed on 15 September 2021 (Security updates KB5005565). So, I uninstall it, and reboot. And, YES, the printer works normally, ... God Bless Us.. Alhamdulillah, Amiin

The correct way to fix this may lie in following this flowchart to ensure that remote exploitation of PrintNightmare is not possible while allowing Point and Print
I will update this later with any progress I find in this. If you can, please do not set RestrictDriverInstallationToAdministrators to 0 as this will make you vulnerable.

-thank you

IIf you really want really answers for this issue:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Read also
https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-ch[…]e-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

After the later link enforcement with septermber updates all MAC-, Linux- and windows-clients printing ability was disabled.
When client tries to communicate unsufficient authentication method the server responsed access denied with unproper error message.
There might be a firewall configurations to prevent proper communications in environments where only 445/TCP is enabled, some organizations doesn't like to approve unintended high ports communications with TCP nor UDP.
MS has now triggered something that no-one was prepared to deal with and haven't shared enought documentation how to properly configure these services to communicate how they want them to communicate

.When only 445/TCP open, it is not enough ?
Should we open the high ports, is there any answer? which TCP or UDP to establish the correct communication?
IIn documentations of printing services there is ability to configure your print server to communicate only with 445/TCP, but this breaks now with the newest security update...
So you should enable high ports 49152-49158 tcp ???
Do we need to enable those documented udp ports also with 445 only enabled servers? that have the registry tweak to support non udp communications?

This problem caused allot of pain in our environment 600 users couldn't print.

This was our fix and it works immediately:

Create a GPO in the computer configuration:

https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

NoWarningNoElevationOnInstall = 1
UpdatePromptSettings = 1
RestrictDriverInstallationToAdministrators - 0

This solved our issue.

Regards

Interesting question this one as it seems this PrintNightMare patch has caused an even bigger nightmare...

I've also implemented the GPO to restrict the point and print down to a specified list of print server and am seeing somewhat inconsistent results with the behaviour of this - adding the printers print queue seems to be possible sometimes but others not, when adding/ installing the drivers for a shared printer from the print server directly no issues this can continue without the UAC prompt.

My troubleshooting has led to me adding the print queue class (1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc) into the GPO option to enable specified device classes to be installed seems to work really well - I am now able to install the print queue drivers without any issues.

Hi,

Same here, forced to uninstall the monthly KB on Windows 2019 in order to permit to Windows 7 users to continue to print... Very long reboot after the uninstall, but users can print now... How correct this ?

Push the printer drivers for your devices to your users using SCCM. Make sure when you extract the drivers from your print servers that you use an Administrator account. Once the users have the printer drivers they will no longer be prompted for an elevated user. I realize that the package is going to be large. If you use x86 and x64 bit driver packages it will increase the package size, but for some of us in large enterprises old applications and equipment still utilize these. Remember, the GPO states that if the DRIVER is new or updated you will be prompted. It doesn't prompt because you are installing a new device. If you already have the driver it will not prompt you for an elevated account.

got us today, and I had already put the RestrictDriverInstallationToAdministrators - 0 key into place previously. It hit us when KB5005613 got installed on our print servers. Still testing, but I believe uninstalling 5613 fixed it.

Same problem here on server 2012 r2, except the next day the update just reinstalled. Wish Microsoft would hurry up and fix this plagued update.

Hi,
All 4 of my windows 10 computer have this error

I started getting calls from clients over the last 4-6 weeks about a "shared" printer suddenly could not be accessed. The networks are typically small 10-15 PCs in a non-AD environment in veterinarian clinics.

The printer status column shows "driver needs update". You click to update and it fails - Cannot Connect to Printer. If I remove the shared printer and try to connect to it again, the Cannot Connect message comes up again.

After many hours of trying everything under the sun, I added the user account/password (for every user needing to access the printer) to the PC where the "shared" printer is actually installed (USB). I could then immediately connect.

I haven't had any problems with Ethernet connected network printers - just the shared printers (i.e. DYMO label) attached to a PC.

I think the problems everyone are having is related to whatever security update Microsoft recently put out there. Would sure be nice to see an error message that gave some useful information instead of 0X000001B or whatever.

Nuff Said!

When rolling back the dodgy update is it on the server machine, the client PCs or both?

Hi Everyone,
Is the September patches affecting already mapped printers or newly mapped?
My Print server is 2016 and clients are W10.
We have a Win 10 UAT groups and the update KB5005565 installed fine and no users complained.
However I am not sure if this is affecting newly mapped printers? As in user connect to print server and select the printer and the drivers come down?
Thanks M

Just apply all the windows updates. specially H20. after that check there are no more updates. issue will be fixed. The work around is to add the printer locally (manually).

I I have all Widows 10 computers and and a Windows 2012 R2 Printserver.
I I unistalled update 5005613 from the printer Server and all printers started printing on Wed September 16th 2021. The next morning bright and early the calls started coming in that peoples printers would not print again. So I Looked that the print server update and It had reinstalled itself. I uninstalled it and they all started printing again. Today is Monday, September 20th and I have had to uninstall it everyday. It did not affect all my network printers, just some of them. I am hoping for a fix on Tuesday ( with fingers crossed) but I have also deleted some of the affected printers and reinstalled them with an adiministrator rights and the IP address. I will retrun tomorror and let you know if it helped.

None of the reg hacks worked for me. Bringing the problematic computer UptoDate with windows worked like a charm.

Regards,

I have tray almost all of the solutions in this topic and no thing works with me,

I have try to remove updates, registry records and even 3rd party solutions and others option

tI notice then this not only one update, it seams that it is more than one update from 8-2021 until now on windows server and windows 10

so i have install all updates and after September 14, 2021—KB5005565 installed on windows 10 then try again the registry value of "RestrictDriverInstallationToAdministrators" and set it to 0 and and surprise ... it's works .. it's works

this topic is very helpful to me, thanks for it's author

https://www.anthonyfontanez.com/index.php/2021/08/12/printnightmare-point-and-print/

After workstations are fully patched, is it safe to turn on remote printing to shared printers again?
Remove HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint = 2

Thank you for the help,

Sean

I was able to resolve the issue by removing 5005568 from the print server

this is only affecting Print servers and Network printres correct? no other server to client printing?

I am experiencing a similar issue but it has to do with Deployment of Printers from GPO. If a user had already gotten their prints from GPO they are present and work. If users need printers to load from GPO they will not. When we run gpupdate /force we get this "Windows failed to apply the Deployed Printer Connections settings. Deployed Printer Connections settings might have its own log file. Please click on the "More information" link."

All other GPOs are processing and working properly.

Since I list all printers in the Directory. I can still install the printers manually from the Printer Servers through "Add Printer" and they install without issue even for none admin users.

Microsoft has really made a mess with this recent security update. Did they every test this with GPO deployment of printers before dumping it out there?

Anyone else seeing this behavior? Has anyone fixed this behavior?

Best way around it that I found is to install the printer manually using a local port. No registry changes needed, and doesn't bypass any security patches put in place by Microsoft. Created a video on it: https://youtu.be/QwnOh69dlM8

So, after following this message board and following most of what has been done before. E.g preloading drivers, placing DLLs in C:\Windows\System32\spool\drivers\x64\3, or some other changes, only half worked or was inconsistent. I came up with the approach below. I am aware that this will allow the vulnerability, but it will restrict it to a single or chosen print servers, which you can monitor with any desired VS/Network tools. Also make sure that DC have printer server spooler turned off (which you should be doing anyway) and the printer server is NOT facing the outside/externally (which to me would be nuts!) then this way will work for you….

This approach will do the following,
Allow a certain print server to install to non admins. All other print servers or other machines are not allowed to add drivers via non admin accounts.

Allow you to carry on using GPO while you move to a better process like uni print.

No extra settings need to be added or reloaded via Intune/SCCM

Create the following rekey’s in GPP via Computer – Preferences – Windows settings – Registry – DO NOT USE A POLICY for some of the settings EVEN though they are located in the point and print template…..as this will not apply correctly. ALSO MAKE SURE THAT YOU ALSO APPLY IN ORDER AS MENTIONED BELOW 1-9. It’s very important the “RestrictDriverInstallationToAdministrators” is last to be applied. Also just apply it to your Machine OUs and you don’t have to change your existing printer policy.

I'm having the exact same issue but I have NONE of those updates nor on my server or my Win10 workstations. Anybody found a workaround that won't involve uninstalling updates? Server is 2016.

I'm having the exact same issue but I have NONE of those updates nor on my server or my Win10 workstations. Anybody found a workaround that won't involve uninstalling updates? Server is 2016.

Those CU are real mess....
Since months now we are strungling by uninstall all CU for servers since the 21-07 because each time it breaks printing on rds / print servers.
We tried all solutions with the point and print restrictions, registry keys, it doesnt work, the only solution for us is to uninstall the cumulative updates for servers.
But the problem is that nexts CUs applies the same things, so for now we had to stop CU since July, which is not secured at all for long time.

When the CU are installed, the problems are :
- The printers are not anymore deployed with GPO
- We cant manage printers anymore, bugs while adding/removing printers
- Sometimes printers are deployed duplicated like this : PRINT1 and PRINT1.domain.local with nothing inside.
- Beside GPO failing, we cant add printer manually fromt print server. error when installing

We have those issues randomly on severals clients sites, the only solution that works is to uninstall the CU on the print server and the TS.
We have an IT assets management tool, so we are able to prevent installation of specific updates such as the CUs, but we cant continue like this.

Printers are up to date with very last drivers, but it doesnt help at all.

I'm sorry to bother but the point and print restriction gpo solution doesnt work also.

Does anyone knows another way to be protected, updated and PRINTERS WORKS normally ?