question

JoshuaBauer-3596 avatar image
0 Votes"
JoshuaBauer-3596 asked JoshuaBauer-3596 answered

Will Microsoft fix Print Management to work after Print Nightmare?

I have a Print Server that deploys over 100 printers through group policy to our school district. We have almost two thousand students who log into different machines in the district and deploying the printers using per machine GPO's to computer objects in separate OU's for each classroom was the best way I could figure out to do it. I use the Print Management application extensively and it has been our district's print solution for years.

Obviously I need to have the Print Nightmare patch to prevent anyone from gaining elevated privileges. But after installing the latest updates on our servers, Print Management doesn't work. In the list for Printers and Ports, each of which had over a hundred entries both are empty. There are no more printers or ports in Print Management. Our print server doesn't work at all anymore.

I've been in a frenzy the past couple weeks running around installing printers as local TCP/IP on each workstation. This has added a tremendous amount of work to my workload, come at a very unfortunate time (right before the start of school - and right after we lost one of our technicians who left for greener pastures) and I am already taking many calls from staff who don't know they need to select the locally installed IP printer to print.

I simply haven't had the time to install the classroom printer for all of the over 1000 computers in our district and not all students will be able to print when school starts.

This is a catastrophe for me. I need Print Management to work. This is part of the suite of server apps that comes with Microsoft Server and IMO a rather important one, at least to me. It boggles my mind that their "patch" just breaks this tool.

Is Microsoft still working on Print Nightmare? Is there a plan to fix it but still allow GPO deployed printers to work? Will Microsoft continue to support Print Management?

Thank you for your time.

windows-server-print
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Joshua B,

Have you check the next article published about how to deploy post-PrintNightmare?

https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Best regards!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoshuaBauer-8839 avatar image
0 Votes"
JoshuaBauer-8839 answered

That article doesn't help. Setting HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint to 0 will undo the Print Nightmare patch and make our environment vulnerable to the hack.

We need to deploy printers through group policy without allowing user to use the hack to obtain elevated permissions.

Windows computers already process stuff in the background with elevated permissions even if the logged-in user does not have administrator permissions. The SYSTEM process for example does lots of things that the user may not have permissions to do. Why can't Group Policy install printers with elevated permissions even if the logged-in user only has a standard account? Surely a workaround is possible without changing this registry key setting?

Can we expect a future patch for Print Management?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoshuaBauer-3596 avatar image
0 Votes"
JoshuaBauer-3596 answered

I've been doing some google searches and I still can't find anything that will fix my issue. We need the Print Nightmare patch installed on our machines because it's a public school district. We have users who would exploit vulnerability if given a chance. But we also need to use Print Management to deploy printers to each classroom using group policy. We can't be the only institution that uses the Print Management utility on a Windows Print Server! Is there an ETA on when this will get fixed?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.