UPDATE (July 7, 2021)
Microsoft has announced additional mitigations will be required to fully address the “PrintNightmare” vulnerability, which is a remote code execution exploit in the Windows Print Spooler service documented by Microsoft on CVE-2021-34527.
In addition to the patching detailed in our previous update, Microsoft also recommends changes to the Windows Registry. The IT Security Office (ITSO) has reviewed this additional measure, agrees with Microsoft’s recommendations, and will be making these changes automatically for managed desktop customers.
Unmanaged customers should consult with their local IT support provider about which mitigations need to be taken for their systems. Be aware that after making the recommended changes, new printer installations will require admin credentials and will prompt users for automatic printer installs initiated via GPO.
A very good write-up of the vulnerability and its impact can be found at the CMU Cert Coordination Center page https://www.kb.cert.org/vuls/id/383432
For managed desktop customers
The July 7, 2021, Microsoft patches are available for installation and will be required to be installed by July 9, 2021, at 4:00pm. The registry changes will be pushed out via SCCM Compliance Baseline either by, or in collaboration with, Desktop Engineering. Units who want this change will submit a ticket to email@example.com
and we will push the change to whichever group of computers they choose.
For unmanaged desktop customers
It is recommended that you work with your local IT support provider to ensure your computer is fully patched and using the recommended Windows Registry changes.
For managed server customers
The CIT Server Farm team has already implemented mitigations to Server Farm hosts that meet or exceed the recommendations issued by Microsoft. If you have concerns about your host, please contact the CIT Server Farm team.
For unmanaged server customers
The ITSO recommends immediate installation of all Microsoft patches for CVEs 2021-34527 and 2021-1675 and the implementation of the registry changes documented below.
Registry changes: technical details (experienced admins and users with admin rights only)
- Workstations: Modify the key with the following DWords
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
- Servers with enabled print spoolers: Modify the key with the following DWords
RestrictDriverInstallationToAdministrators = 1
Note: Changes to the Windows Registry should only be attempted by experienced administrators or users.
• Cert Coordination Center
This information is based on current knowledge of the issue. We will provide additional updates as we learn more.