I suddenly felt the need to disable remote connections to client print spooler, and here is how I did it.
This is an action to the PrintNightmare incident in July 2021.
Since the service needs to be restarted after the register value has been applied, I thought that a CI was the better choice compared to a GPO.
A discovery script containing:
$Status = Get-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -ErrorAction SilentlyContinue
IF ($Status.RegisterSpoolerRemoteRpcEndPoint -eq 2) {
Return $true
} Else {
Return $False
}
The Discovery script will return $true/$false where true is that the policy has been applied.
and a remediation script:
Get-Service Spooler | Stop-Service -Force
New-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -PropertyType Dword -Value 2
Get-Service Spooler | Start-Service -Force
