Windows Print Spooler Hardening Guide: How to Mitigate PrintNightmare and Eliminate Print Spooler Attack Surface

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Print Spooler has been exploited repeatedly across a decade of Windows vulnerabilities. PrintNightmare was not an isolated bug -- it was the latest in a line of spooler vulnerabilities going back to MS10-061 and continuing with CVE-2022-21999, CVE-2022-30206, and others. Treating the print spooler as a permanent attack surface (because vulnerabilities keep recurring) rather than a solved problem (because you patched one CVE) leads to a more defensible posture: disable the service everywhere that printing is not functionally required, and restrict driver installation capabilities everywhere it must run.
Disable the Print Spooler on Domain Controllers and Non-Print Servers
DCs running the Print Spooler are exposed to PrinterBug coercion and historical spooler RCE vulnerabilities. There is no business reason for a DC to run the print spooler.
Disable via Group Policy (apply to Domain Controllers OU):
Computer Configuration > Windows Settings > Security Settings > System Services
- Print Spooler: Disabled
Disable via PowerShell (immediate + persistent):
# Stop and disable immediately
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Verify
Get-Service -Name Spooler | Select-Object Name, Status, StartType
# Expected: Stopped, Disabled
Discover all machines with the spooler running across the domain:
# Query all domain computers for spooler status (requires WinRM or WMI access)
$computers = Get-ADComputer -Filter * -Properties Name | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
try {
$svc = Get-Service -ComputerName $computer -Name Spooler -ErrorAction Stop
if ($svc.Status -eq 'Running') {
Write-Output "$computer - Spooler RUNNING"
}
} catch {
Write-Output "$computer - UNREACHABLE"
}
}
Machines where the spooler is likely needed:
- Dedicated print servers
- Workstations where users print locally (USB or network printer)
- Jump servers where users print from their sessions
Machines where the spooler can be disabled:
- All domain controllers (no exception)
- All servers that are not print servers
- Servers hosting web applications, databases, or infrastructure services
Configure Point and Print Restrictions to Block Driver Exploitation
For machines where the spooler must remain running (print servers, workstations), restrict the driver installation behavior that PrintNightmare exploited:
Group Policy path:
Computer Configuration > Administrative Templates > Printers
Setting: Point and Print Restrictions
- Enable this policy
- Users can only point and print to these servers: Enabled
- Enter the FQDN of your authorized print servers (e.g.,
printserver.domain.com)
- Enter the FQDN of your authorized print servers (e.g.,
- When installing drivers for a new connection: Show warning and elevation prompt
- When updating drivers for an existing connection: Show warning and elevation prompt
Setting: Limits print driver installation to Administrators
- Enabled (this is the key mitigation for PrintNightmare -- non-admin users cannot install printer drivers)
Verify the registry values this policy sets:
# Check Point and Print configuration
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' |
Select-Object Restricted, TrustedServers, ServerList, NoWarningNoElevationOnInstall, UpdatePromptSettings
# NoWarningNoElevationOnInstall should be 0 (require elevation)
# UpdatePromptSettings should be 2 (show warning and elevation prompt)
Critical post-patch check (August 2021 patch behavior change):
Microsoft's August 2021 patch for PrintNightmare changed the behavior: even with the Point and Print GPO set, driver installation now requires admin elevation by default. However, if your GPO explicitly sets NoWarningNoElevationOnInstall = 1 ("do not prompt"), it overrides the patch protection. Verify your existing GPO does not have this insecure setting.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detect Print Spooler Exploitation Attempts
Detect PrinterBug coercion attempts (authentication coercion from DCs):
# If you have disabled the spooler on DCs:
# Any application trying to use MS-RPRN on the DC will fail
# Monitor Windows Firewall or network logs for inbound connections to port 445
# originating from DCs going to unexpected destinations -- sign of a coercion attempt
# that triggered before the spooler was disabled
Detect PrintNightmare exploitation (driver installation abuse):
# Event ID 316 in Microsoft-Windows-PrintService/Admin:
# 'The print spooler failed to load a plug-in module [path]'
# This fires when an exploit attempt loads a malicious DLL as a printer driver
# Event ID 808 in Microsoft-Windows-PrintService/Admin:
# 'The print spooler failed to share printer [name] with shared resource name [name]
# Event ID 4656/4663 (Object Access audit) for:
# C:\Windows\System32\spool\drivers\ write access from unexpected accounts
# PowerShell-based detection:
Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' |
Where-Object { $_.Id -in @(316, 808) } |
Select-Object TimeCreated, Id, Message
Monitor for new driver installations on print servers:
# Event ID 4657 (Registry value modified) for:
# HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments
# New driver entries here indicate a driver installation event
# Baseline the legitimate drivers and alert on additions
The bottom line
Print Spooler hardening is a three-step process: disable the service on all DCs and non-print servers (eliminates PrinterBug and spooler RCE exposure on your most critical machines), configure Point and Print restrictions to require admin elevation for driver installation on machines that must run the spooler, and monitor Event ID 316 in the PrintService/Admin log for exploitation attempts. The spooler will keep receiving vulnerabilities -- treat it as a permanently hostile service and minimize its footprint accordingly.
Frequently asked questions
Is patching CVE-2021-34527 enough, or do I still need to disable the spooler?
Patching is necessary but not sufficient. Microsoft released multiple patches for PrintNightmare variants across July and August 2021, but subsequent print spooler CVEs (CVE-2022-21999 in February 2022, CVE-2022-30206 in July 2022, and others) showed that the print spooler RPC attack surface continues to produce exploitable vulnerabilities. Patching addresses specific CVEs; disabling the service on machines that do not need it eliminates the entire attack surface class. For DCs specifically, there is no legitimate reason to run the print spooler, and it should be disabled regardless of patch status.
Will disabling the Print Spooler on DCs break anything?
Rarely. Domain controllers do not process print jobs or host shared printers in typical enterprise environments. The Print Spooler on a DC is a remnant of legacy Windows behavior -- it was enabled by default, not because DCs need printing. The only scenario where it might matter: if you have a legacy application server that uses RPC to communicate with the DC print services, or if you have configured printer objects in AD that are managed from the DC directly. Both are uncommon. Check your DCs for any scheduled tasks or startup scripts that reference the spooler or printer management before disabling.
Does the Point and Print restriction break user printing in normal operations?
Slightly. Users connecting to a new print server for the first time will see an elevation prompt for the driver installation, rather than it happening silently. This is a one-time friction per print server, not a recurring interruption. If users are only connecting to print servers listed in the TrustedServers policy, the warning is reduced (though elevation is still required for driver installation per the post-August 2021 patch behavior). The operational impact is minor and predictable. Document the approved print servers in your GPO before enforcing the restriction.
What is the difference between CVE-2021-34527 (PrintNightmare) and CVE-2021-1675?
CVE-2021-1675 was originally disclosed in June 2021 as a low-severity local privilege escalation in the print spooler. Researchers discovered that the same attack technique (abusing the AddPrinterDriver RPC call) could also be used for remote code execution, and published a proof-of-concept before Microsoft had released an updated patch. Microsoft then re-rated CVE-2021-1675 to critical and simultaneously disclosed CVE-2021-34527 as a distinct but related RCE vulnerability in the same component. Both were addressed by the July 2021 patch series. In practice, they refer to the same class of print spooler driver installation abuse, and mitigations for one address the other.
Should I disable the Print Spooler on all servers, not just domain controllers?
Disable it on any server that is not a dedicated print server. Domain controllers are the highest priority because the print spooler enables both PrintNightmare exploitation and NTLM relay coercion from the DC -- a compromised DC is a full AD compromise. For member servers: database servers, application servers, and file servers rarely need print spooler services and disabling it reduces their attack surface. The only servers that need the print spooler are designated print servers. Check for the service using `Get-Service -Name Spooler | Select-Object Status, StartType` on each server, and use a GPO or Intune policy to set StartupType to Disabled for the Spooler service on all non-print servers.
What is Windows Point and Print and why is it a security risk even after PrintNightmare patches?
Point and Print is a Windows feature that allows users to connect to a print server and automatically download and install the necessary print drivers from that server. The security risk: installing a printer driver requires elevated privileges, and Point and Print historically allowed standard users to trigger driver installation from any print server. The PrintNightmare patches (KB5005010 and subsequent updates) changed the default behavior to require administrator approval for driver installation from non-enterprise print servers, but the mitigations require specific registry settings and are frequently misconfigured. Check your Point and Print configuration: `HKLMSOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint` should have RestrictDriverInstallationToAdministrators = 1 (require admin privileges for all driver installations) and NoWarningNoElevationOnInstall = 0 (prompt for elevation). Organizations that set NoWarningNoElevationOnInstall = 1 to avoid print disruptions have effectively re-enabled the PrintNightmare vulnerability class.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
