Windows - Security - Mitigate Print Nightmare

What the PrintNightmare mitigation Worklet does

This Automox Worklet™ mitigates the PrintNightmare vulnerability (CVE-2021-34527) on Windows endpoints by writing the registry value HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint to 2. That value tells the Print Spooler service to refuse remote RPC connections, which is the attack path PrintNightmare exploits to load an arbitrary driver as SYSTEM.

The endpoint preserves local printing. USB and locally installed printers continue to work, and existing local print queues keep serving users. What stops working is the inbound RPC interface that lets a remote authenticated user call RpcAddPrinterDriverEx and stage a malicious print driver.

The Worklet restarts the Print Spooler so the registry change takes effect immediately. No reboot is required, and the policy is safe to re-run; the evaluation phase is idempotent and exits clean on endpoints already configured to RegisterSpoolerRemoteRpcEndPoint = 2.

Why mitigate PrintNightmare on every Windows endpoint

PrintNightmare (CVE-2021-34527) is an unauthenticated remote code execution flaw in the Windows Print Spooler. An attacker with network reach to a spooler that accepts remote RPC can drop a signed or unsigned driver and gain SYSTEM on the target. Microsoft shipped the out-of-band patch KB5004945 in July 2021 and a follow-on Point and Print hardening change later that month, but the patch alone is incomplete without the Point and Print Restrictions registry fix; NoWarningNoElevationOnInstall must remain at 0 so that driver installation prompts for an administrator. Domain controllers, RDS hosts, and any server that does not need to share printers should have the spooler stopped and disabled outright, because the RPC interface is reachable from anywhere on the management network.

The Print Spooler runs by default on every Windows install, which makes CVE-2021-34527 exposure the rule rather than the exception. Applying the RegisterSpoolerRemoteRpcEndPoint registry value through a single Automox policy run reaches unpatched servers, workstations that missed a Patch Tuesday cycle, and lab images built from older baselines. The registry change persists across reboots, so an endpoint that drifts back to a default configuration after a feature update is re-hardened on its next evaluation.

How PrintNightmare mitigation works

1. Evaluation phase: The Worklet reads HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint with Get-ItemProperty. If the key exists and equals 2, the endpoint is compliant and exits 0. Any other value – missing key, value of 1, or a different DWORD – flags the endpoint as non-compliant and queues remediation.

2. Remediation phase: The Worklet creates the Printers registry path if it does not exist, writes RegisterSpoolerRemoteRpcEndPoint as a DWORD value of 2, and restarts the Print Spooler with Restart-Service -Name 'spooler' -Force. Errors during remediation are caught and written to the Automox activity log with the failing line number for triage.

PrintNightmare mitigation requirements

• Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or any supported in-support build (Windows 7 and Server 2008 R2 are vulnerable but out of mainstream support)

• Administrator privileges on the endpoint (the Automox agent runs as SYSTEM by default and meets this)

• Print Spooler service installed on the target endpoint; the Worklet restarts it after writing the registry value

• Pair with the July 2021 out-of-band patch (KB5004945) and subsequent cumulative updates – the registry mitigation closes the remote vector, the patch closes the local one

• Confirm Point and Print Restrictions policy keeps NoWarningNoElevationOnInstall at 0 (HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint); a value of 1 re-opens the local privilege escalation path

• Compatible with FixNow execution for immediate remediation during active incident response

Expected spooler state after mitigation

On a remediated endpoint, HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint exists as a REG_DWORD with value 0x00000002, and the Print Spooler service is running with its remote RPC endpoint registration suppressed. Local print jobs continue to flow. Inbound RpcAddPrinterDriverEx calls from the network are rejected, which removes the PrintNightmare attack surface even on endpoints where the cumulative patch has not yet been applied.

Validate manually by running Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers' -Name RegisterSpoolerRemoteRpcEndPoint and confirming the returned value is 2. Confirm spooler health with Get-Service Spooler; the StartType should still be Automatic on a normal print-serving endpoint, or Disabled on a domain controller that received the harder lockdown. Re-running the Worklet against the remediated endpoint reports compliance without making any further change, which gives you the recurring control evidence auditors look for under the CIS Microsoft Windows Benchmarks (sections covering Print Spooler) and NIST 800-53 control SI-2 for vulnerability remediation.