2021-07-13

CI to monitor PrintNightmare patches

With this CI in MEMCM/SCCM you can monitor what client got the PrintNightmare patches.

KB numbers may change in the future, keep monitoring Microsoft patch releases to update script with new KBs.

Updated 2021-07-13

$AllHotfix = Get-HotFix

$PrintNightmareFix = "KB5004945","KB5004946","KB5004947","KB5004948","KB5004949","KB5004950","KB5004953","KB5004954","KB5004955","KB5004237","KB5004245"


If ($AllHotfix| Where-Object { $PrintNightmareFix -icontains $_.HotfixId } ) {

    Return $true

} Else {

    Return $false

}

2021-07-05

Disable Remote Print Spooler connections with CI

I suddenly felt the need to disable remote connections to client print spooler, and here is how I did it.




This is an action to the PrintNightmare incident in July 2021.

Since the service needs to be restarted after the register value has been applied, I thought that a CI was the better choice compared to a GPO. 


A discovery script containing:

$Status = Get-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -ErrorAction SilentlyContinue

IF ($Status.RegisterSpoolerRemoteRpcEndPoint -eq 2) {
    Return $true
} Else {
    Return $False
}


The Discovery script will return $true/$false where true is that the policy has been applied.



and a remediation script:

Get-Service Spooler | Stop-Service -Force
New-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -PropertyType Dword -Value 2
Get-Service Spooler | Start-Service -Force