Microsoft shares mitigation for recent Windows Server printing issues
Microsoft has released temporary mitigation information for a known issue that could cause print and scan failures on multiple versions of Windows Server after installing the July 2021 security updates on domain controllers.
As the company revealed last week, the known issue is affecting printers, scanners and multifunction devices that use smart card authentication (PIV) and do not comply with CVE-2021-33764 hardening changes.
âOn July 13, 2021, Microsoft released hardening changes for CVE-2021-33764. This can cause this problem when you install updates released on July 13, 2021 or later on a domain controller (DC) Â»Microsoft Explain.
“The affected devices are printers, scanners, and smart card authenticating MFPs that do not support Diffie-Hellman (DH) for key exchange during PKINIT Kerberos authentication or do not advertise the support for des-ede3-cbc (“triple DES”) during Kerberos AS request. “
Customers who experience this issue are advised to first check if they have the latest drivers and firmware installed on the affected devices.
If the known issue persists on up-to-date devices, affected customers should contact the device manufacturer and request any setting changes or updates to make the printer or scanner compliant with the CVE-2021-33764 hardenings deployed. via the July Windows 10 security updates.
Temporary mitigation for non-compliant environments
If no update is available from device manufacturers, Microsoft is providing temporary mitigation for Windows Server domain controllers while working to bring printing or scanning devices into compliance.
“You must have your non-compliant devices updated and brought into compliance or replaced by February 8, 2022, when the temporary mitigation will not be usable in security updates,” adds Microsoft.
Affected customers are advised to take the following steps on all domain controllers to mitigate ongoing printing and scanning issues:
On your domain controllers, set the temporary mitigation registry value listed below to 1 (enable) using Registry Editor or the automation tools available in your environment:
reg add HKLMSystemCurrentControlSetServicesKdc /v Allow3DesFallback /t REG_DWORD /d 1 /f
Install an update that enables temporary mitigation available in updates released on July 27, 2021 or later (below are the first updates that allow temporary mitigation):
Restart your domain controller.
Emergency updates released for Windows 10
Microsoft also released cumulative out-of-band updates this week to address this known issue on Windows client platforms, including:
While more rollups are expected to be released to resolve the issue on all affected Windows client versions, Microsoft confirmed upon recognition of this known printing issue on Friday that all affected smart card authentication devices should work as expected when using username and password authentication.
Redmond also addressed Windows 10 printing issues caused by the changes introduced in the June 2021 Cumulative Update Preview earlier this month.