[German]Quick note for administrators in enterprise environments. If you experience print and scan errors on your networks over the next few days, this may be related to changes in smartcard authentication that Microsoft made in July 2022.
Advertising
Patchday issue from July 2021
In the July 2021 blog post Windows 10: July 2021 update may cause printing issues with SmartCard authentication, I had reported on a patchday issue. The security updates for Windows 10 released on July 13, 2021 for the regular patchday (see Patchday: Windows 10 Updates (July 13, 2021)) can cause printing problems in certain scenarios. Printing and scanning may fail if these devices use smart card authentication (PIV).
In the support article for the cumulative update KB5004237 for Windows 10 version 2004/20H2/21H1, Microsoft has since added the following entry in the known bugs section:
After installing the updates released on July 13, 2021, for DCs (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with Section 3.2.1 of the RFC 4556 specification may not print when using smart card authentication (PIV).
Microsoft has published support article KB5005408 (Smartcard authentication may cause print and scan errors) with more details about this. The background for the printing and scanning problems if devices use smartcard authentication (PIV) is that Microsoft has hardened the affected parts of Windows with respect to the vulnerability CVE-2021-33764.
July 2022 update causes print and scan failures
The Windows Message Center has an entry Hardening changes coming 07/2022: Smart card authentication might cause print and scan failures dated July 13, 2022. On July 13, 2021, Microsoft released hardening changes for the Windows Key Distribution Center Information Disclosure vulnerability CVE-2021-33764. With these changes, smart card authentication (PIV) can cause print and scan failures when you install updates released on July 13, 2021, or later versions on a domain controller (DC).
The affected devices are printers, scanners, and multifunction devices with smart card authentication that either do not support Diffie-Hellman (DH) for key exchange during PKINIT Kerberos authentication or do not advertise support for des-ede3-cbc ("triple DES") during Kerberos AS requests.
Advertising
For organizations that experienced issues with the fix for CVE-2021-33764, a temporary mitigation was provided via Windows Update between July 29, 2021 and July 12, 2022. However, starting July 2022, this temporary mitigation will no longer be available for use in security updates. The July 2022 Windows Preview Update will remove the temporary mitigation and require compliant printing and scanning devices.
Beginning July 19, 2022, there will no longer be a fall-back option in subsequent updates, and all non-compliant devices will need to be identified and updated using the scan events beginning in January 2022. For more information, see KB5005408: Smart card authentication may cause print and scan errors. (via)
