Allow print spooler to accept client connections Jul 13, 2021 · Add a GPO for all workstations to set Computer Configuration > Policies > Administrative Templates > Printers > set “Allow print spooler to accept client connections” to disabled to protect workstations from the exploit while still letting them print. Nov 3, 2022 · If the clients are patched someone can evaluate if this is still needed for your organization. Go to "Computer Configuration" -> "Administrative Templates" -> "Printers" Double click on "Allow Print Spooler to accept client connections" to open this directive Set the policy to "Disabled". Thanks, Manuel On Windows 11, the Group Policy option to not allow the print spooler to accept client connections breaks the ability to view print queues locally. However, all printers currently shared will Aug 25, 2021 · Hi, please i need to know how to check that the vulnerability PrintNightmare of windows Print Spooler vulnerability is fixed after applying the GPO that disables "Allow Print Spooler to accept client connections" So, after applying this… Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2. Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. Jul 3, 2021 · METHOD 1: Completely Disable Print Spooler Service If you don’t use any Printer and don’t need to print anything, you can safely disable Print Spooler service in your Windows device to prevent this vulnerability. . All other remote management functions seem to work just fine. However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. All printers currently shared will continue to be shared. Click on “Advanced Settings” and then on “Inbound Rules. The recommended state for this setting is: Disabled Note: The Print Spooler service must be restarted for changes to this policy to take effect. Remember disabling the Print Spooler service will disable the ability to print both locally and remotely. Until it's patched, you can disable the Print Spooler service to keep your PC safe from hackers. Step-6: Click on Apply and then press OK. Im trying to protect my Windows 10 Education clients from PrintNightmare with Intune. Information This policy setting controls whether the Print Spooler service will accept client connections. Jul 9, 2021 · Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. My test However, the Print Spooler service will not accept client connections or allow users to share printers. Disable the "Allow Print Spooler to accept client connections" GPO on all clients and servers that do need the ability to print Patch your printservers and hope for the best? However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. Aug 7, 2025 · This policy setting controls whether the Print Spooler service will accept client connections. For devices, that need to do print jobs- like user workstations - but not to print on behalf of remote users: Set this in Group Policy Computer Configuration\Administrative Templates\Printers\Allow Print Spooler to accept client connections - Setting: Disabled However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. The policy say's Supported on: At least Windows Server 2003. Press Win+R at the same time to launch the RUN dialog box. Jul 2, 2021 · The company is actively investigating the problem and is recommending temporarily disabling Windows Print Spooler service or blocking incoming connections to the print server whenever possible Jul 6, 2021 · Step-4: Scroll down and double-click on Allow Print Spooler to accept client connections. Allow print spooler to accept client connections If you applied that to your print server it'll be dead in the water and definitely should be rolled back. The spooler must be restarted for changes Jun 19, 2024 · Workstation printer GPO does not affect the server, confirmed with gpresult. Mar 12, 2025 · This policy controls whether the print spooler will accept client connections. Given the ongoing printer nightmare situation, we have the "Allow Print Spooler to accept client connections" disabled on all machines except the print servers. Both give me status "Not applicable". Method 2 – Registry This is ideal for those running Home editions of the operating system or those not on a domain or familiar with Group Policy. Jul 3, 2021 · Look for the option Allow Print Spooler to accept client connections, double-click on it, and select Disabled. 0 L2 MS Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. Impact: Nov 23, 2022 · This policy controls whether the print spooler will accept client connections. Step-5: Select Disabled. Jul 7, 2021 · When the policy is disabled, Microsoft says the spooler will automatically reject the client connections and prevent users from sharing printers. Aug 30, 2024 · I wonder whether set "Allow Print Spooler to accept client connections" to disabled on my devices changed something because since when I do not have any people reporting this issue Aug 28, 2014 · On a computer with the problem, go into Group Policy > Computer Configuration > Administrative Templates > Printers, enable “Allow print spooler to accept client connections”. "Allow Print Spooler to accept client connections" The vast majority of clients and servers could safely have had this disabled since the dawn of time. It's exactly what you'd call a hardening mechanism - disable a remotely accessible network service. A bit of guidance with GPO print spooler client access In relation to print nightmare I wanted to setup a GPO, to disable the Allow print spooler to accept client connections. This script is intended to mitigate Print Spooler attacks (specifically PrintNightmare CVE-2021-34527) However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. Oct 6, 2025 · Audit details for CIS Microsoft Windows Server 2019 STIG v3. Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. I don't know what's wrong, and haven't found any relevant info online. Jul 2, 2021 · Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. Jan 15, 2025 · Allow Print Spooler to accept client connections: Controls whether the print spooler will accept client connections. You may want to see this guide before proceeding: What is GPO and how can it be launched in Windows. When the policy isn't configured, the spooler won't accept client connections until a user shares out a local printer or opens the print queue on a printer connection. Aug 13, 2021 · “Allow Print Spooler to accept client connections” This should be set to Disabled on all endpoints that are not print servers, to ensure that clients cannot connect to printers shared from them. Solution To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled Administrative Templates\Printers\Allow Print Spooler to accept client connections Impact: Double-click “Allow remote connections to the Print Spooler” and select “Enabled. Type regedit and press Enter. However, the Print Spooler service will not accept client connections or allow users to share printers. Configure the settings via Group Policy as follows: - Navigate to: Computer Configuration > Administrative Templates > Printers - Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. By default, the Print Spooler service runs on all Windows servers and clients, so you can only imagine why CISA and Jul 18, 2021 · Still can't see anything in Print Management. Exit out of the Local Group Policy Editor Reboot your system for this change to Disabled to take effect. 2. I want to push out a policy to disable "Allow Print Spooler to accept client connections". Any suggestions? However, this recommendation does not mitigate against local attacks on the Print Spooler service. This policy controls whether the print spooler will accept client connections. Computer Configuration\Policies\Administrative Templates\Printers\Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template printing2. Jul 7, 2021 · NOTE: If the option Not Configured was already selected, it so happens that, by default, Allow Print Spooler to accept client connections is already enabled, So, you still must mark it as Disabled. Disable Print Spooler on every server that doesn't need it / isn't printing or sharing printers. This policy setting controls whether the Print Spooler service will accept client connections. When the Allow Print Spooler to accept client connections window opens, select “Not Configured” and then click on “Apply” and “OK” to save the changes. You must restart the Print Spooler service for the group policy to take effect. Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare However, the Print Spooler service will not accept client connections or allow users to share printers. You have to restart the Spooler service for this policy change. Note that all printers that were already shared will continue to be shared. Obviously you'd point out "except on dedicated print servers" The latest Windows 10 CIS benchmark I can find on Google without filling in a form However, the Print Spooler service will not accept client connections or allow users to share printers. Nov 30, 2016 · To fix this, you can go into Group Policy, Computer Configuration, Administrative Templates, Printers and enable the option to " Allow Print Spooler to accept client connections". Nothing worked. Select OK to apply the changes. Adjust Firewall Settings Go to Control Panel > System and Security > Windows Firewall. Any suggestions? Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2. Allow Print Spooler to Accept Client Connections - Safe to Enable now? One of the initial Print Nightmare mitigations was to disable the "Allow Print Spooler to Accept Client Connections" GPO, which we have done. The instructions from Microsoft KB on this policy state: Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2. Nov 18, 2016 · Check the following GPO: Local Computer Policies\Administrative Templates\Printers\ Allow print spooler to accept client connections >> Enable If the option 1 doesn't work, You may need to Configure the Load and unload device drivers policy setting. Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. ” Right-click and create a new rule. When the policy is unconfigured or enabled, the spooler will always accept client connections. Computer/admin templates / printers / Allow print spooler to accept client connections However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. Impact: Provided that the Print Spooler service is not disabled, applications on and users logged in to servers will continue to be able to print from the server . Jul 5, 2021 · Disable Print Spooler service on any Windows device, that does not need to print. I will appreciate any advice. Jul 6, 2021 · Setting the “Allow Print Spooler to accept client connections:” group policy to disabled on systems that don’t need to accept print jobs from other systems. Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare Information This policy setting controls whether the Print Spooler service will accept client connections. I have tested setting this with "Administrative Templates" and "Settings Catalog" (not at the same time). Sep 28, 2025 · Ensure ‘Allow Print Spooler to accept client connections’ is set to Disabled. Jul 4, 2021 · Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. Restrict “Point and Print” on member servers and clients that require the ability to print as per the instructions in the Microsoft knowledge base article. Mar 28, 2025 · 2: Navigate to: Computer Configuration > Administrative Templates > Printers Ensure "Allow Print Spooler to accept client connections" is enabled After trying above steps, please reach out to me if you have any doubts or issues Help others by sharing your experience! Click “Yes” if this solution worked for you or “No” if it didn’t. Restart the computer for the "Spool" service to see and take into account the changes However, the Print Spooler service will not accept client connections or allow users to share printers. Hi. When the policy is unconfigured or enabled the spooler will always accept client connections. The Print Spooler service must be restarted for changes to this policy to take effect. I've got the GPO part about disabling remote inbound printing (for anyone else Computer Configuration > Policies > Administrative Templates > Printers > Allow Print Spooler to accept client connections - Disable). There are no local print policies applied in the server, even though I also tried enabling "Allow Print Spooler to accept client connections" as a local policy, to no avail. Jul 12, 2021 · The United States Cybersecurity & Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and Microsoft have issued an urgent security warning about a flaw in the Windows Print Spooler service, known as PrintNightmare. admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. 0. Aug 17, 2021 · I also tried to revert the configurations using: * “Allow Print Spooler to accept client connections” policy * HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint. How do you restart the printer spooler one time via group policy? Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. Jul 10, 2024 · When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. Jul 6, 2021 · Sets the registry value for "Allow Print Spooler to accept client connections" group policy and restarts the spooler service. ” Click “OK” and restart the Print Spooler service (Services. When the policy is disabled the spooler will not accept client connections nor allow users to share printers. This does not break on Windows 10 as this functionality (accepting client connections) isn't required anywhere but a print server, and disabling it on workstations is considered a good security Aug 27, 2021 · New Print vulnerability arrives on Windows. Description This policy setting controls whether the Print Spooler service will accept client connections. Jul 5, 2021 · Computer Configuration\Administrative Templates\Printers\Allow Print Spooler to accept client connections - Setting: Disabled On systems that don't have to function as a print server. Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections Note: This Group Policy path is provided by the Group Policy template Printing2. Unfortunately, this broke the Print Management tool that we used to remotely manage our printers and drivers on our print server. msc). This policy setting controls whether the Print Spooler service accepts client connections. hvsjl nsmei iaqqal mghjcnx nyig pamg oiquevv kxvzm sukxc fkb lhull fbaeicam phhytx tzfvgv ptljv