[German]The Windows 10 security updates released on July 13, 2021 for the regular patchday (see Patchday: Windows 10 Updates (July 13, 2021)) may cause printing issues in certain scenarios. Printing and scanning can fail if these devices use smart card authentication (PIV). Microsoft has since confirmed this bug and published a separate support post about it.
In the support post for cumulative update KB5004237 for Windows 10 version 2004/20H2/21H1, Microsoft has since added the following entry in the section on known bugs:
After installing the July 13, 2021 released updates for DCs (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with Section 3.2.1 of the RFC 4556 specification may not print when using smart card authentication (PIV).
There is also a corresponding entry on the Windows 10 healt page – where Microsoft lists the following platforms as affected:
- Client: Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Microsoft has published support article KB5005408 (Smartcard authentication can cause print and scan errors) with further details. The background to the printing and scanning issues if devices use smartcard authentication (PIV) is that Microsoft has hardened the affected parts of Windows with respect to vulnerability CVE-2021-33764. The vulnerability relates to a vulnerable component that uses a weak encryption algorithm or cipher. Traffic sent over a network by the vulnerable component could be decrypted and reveal information about a user’s or service’s active session.
The print and scan issues can occur when installing the July 2021 updates (or later updates) on on a domain controller (DC). Affected devices include printers, scanners, and multifunction devices with smart card authentication that do not support DH or announce support for des-ede3-cbc (“triple DES”) during the Kerberos AS request.
Per Section 3.2.1 of the RFC 4556 specification, the client must both support and announce support for des-ede3-cbc (“triple DES”) to the Key Distribution Center (KDC) for this key exchange to work. Clients that initiate Kerberos PKINIT with encryption mode key exchange but neither support nor notify the KDC that they support des-ede3-cbc (“triple DES”) will be rejected. For printer and scanner client devices to be compliant, they must either:
- Use Diffie-Hellman for key exchange during PKINIT Kerberos authentication (preferred).
- Both support and report to the KDC their support for des-ede3-cbc (“triple DES”).
If the problem occurs with print or scan devices, verify that the latest firmware and drivers are installed for the device. If necessary, check with the device manufacturer for updates.
Microsoft is working on a temporary mitigation and plans to provide an update in the near future. This temporary fix should allow printing and scanning on the affected devices. This will buy device manufacturers time to release compliant firmware and drivers for their devices. It should also give time to update settings, firmware and drivers in your environment to make them compliant.
Cookies helps to fund this blog: Cookie settings