Microsoft shares mitigation for recent Windows Server printing issues

Microsoft has released temporary mitigation info for a known issue that might cause print and scan failures on multiple Windows Server versions after installing July 2021 security updates on domain controllers.

As the company revealed last week, the known issue impacts printers, scanners, and multifunction devices using smart card (PIV) auth and non-compliant with CVE-2021-33764 hardening changes.

“On July 13, 2021, Microsoft released hardening changes for CVE-2021-33764. This might cause this issue when you install updates released July 13, 2021 or later on a domain controller (DC),” Microsoft explains.

“The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key-exchange during PKINIT Kerberos authentication or don’t advertise support for des-ede3-cbc (“triple DES”) during the Kerberos AS request.”

Customers who encounter this issue are advised to first check if they have the latest drivers and firmware installed on impacted devices.

If the known issue still appears on up-to-date devices, affected customers should contact the device manufacturer and ask for setting changes or updates to make the printer or scanner compliant with CVE-2021-33764 hardenings deployed via July Windows 10 security updates.

Temporary mitigation for non-compliant environments

If no updates are available from device manufacturers, Microsoft provides temporary mitigation for Windows Server DCs while working to get the printing or scanning devices into compliance.

“You must have your non-compliant devices updated and compliant or replaced by February 8, 2022, when the temporary mitigation will not be usable in security updates,” Microsoft adds.

Affected customers are advised to take the following steps on all domain controllers to mitigate ongoing printing and scanning issues:

1. On your Domain Controllers, set the temporary mitigation registry value listed below to 1 (enable) by using the Registry Editor or the automation tools available in your environment:

   reg add HKLMSystemCurrentControlSetServicesKdc /v Allow3DesFallback /t REG_DWORD /d 1 /f

2. Install an update that allows the temporary mitigation available in updates released July 27, 2021 or later (below are the first updates to allow the temporary mitigation):

   • Windows Server 2019: KB5005394

   • Windows Server 2016: KB5005393

   • Windows Server 2012 R2: KB5005391

   • Windows Server 2012: KB5005389

   • Windows Server 2008 R2 SP1: KB5005392

   • Windows Server 2008 SP2: KB5005390

3. Restart your domain controller.

Emergency updates released for Windows 10

Microsoft has also released cumulative out-of-band updates this week to address this known issue on Windows client platforms, including:

• KB5005394 (Windows 10 1809)
• KB5005393 (Windows 10 1607)
• KB5005392 (Windows 7 SP1)

While more cumulative should be released to address the issue on all impacted Windows client releases, Microsoft confirmed when acknowledging this known printing issue on Friday that all affected smart card authenticating devices should work as expected when using username and password authentication.

Redmond has also addressed Windows 10 printing issues caused by changes introduced in the June 2021 cumulative update preview earlier this month.