Microsoft published some updated guidance yesterday for the Windows Print Spooler Vulnerability (CVE-2021-3457) and recommend securing a couple of Point and Print registry keys if they exist, in addition to deploying the security update:
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
I published detection and remediation scripts here which can be used with a compliance item in Microsoft Endpoint Configuration Manager to check if these keys exist and set them to the recommended values if they do. You could also adjust them to run as Proactive remediations scripts in Microsoft Endpoint Manager if that’s your tool.