Disable Remote Print Spooler connections with CI

I suddenly felt the need to disable remote connections to client print spooler, and here is how I did it.

This is an action to the PrintNightmare incident in July 2021.

Since the service needs to be restarted after the register value has been applied, I thought that a CI was the better choice compared to a GPO. 

A discovery script containing:

$Status = Get-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -ErrorAction SilentlyContinue

IF ($Status.RegisterSpoolerRemoteRpcEndPoint -eq 2) {
    Return $true
} Else {
    Return $False

The Discovery script will return $true/$false where true is that the policy has been applied.

and a remediation script:

Get-Service Spooler | Stop-Service -Force
New-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -PropertyType Dword -Value 2
Get-Service Spooler | Start-Service -Force